[ale] PGP/GPG Keysigning party! ALE Central November 19th. (Mac OSeX prep)

Richard Bronosky Richard at Bronosky.com
Tue Nov 3 15:51:43 EST 2009


By mess I simply meant that it felt like the kind of hack that any
Linux person would respond with "Why the eff are you not using your
package manager for that?" I got MacGPG and the keychain/agent tool
and the GUI pinentry tool all working on Tiger. I just learned my
lesson from it.

On 11/3/09, scott <scott at sboss.net> wrote:
> I have used the naitive ports of gpg on the mac for way too many years
> with Zero issues.  The only current issue is GPGMail doesn't support
> Snow Leopard.  But people are working on that. It uses a non-
> documented and changes every release API.  But that is only the addon
> for Mail.app todo GPG.
>
> On my Snow Leopard MBP I downloaded gpg2 from gnupg's site and it
> works flawlessly.  Including new key generation.
>
> YMWV....
>
> Sent from my mobile...
>
> On Nov 3, 2009, at 11:26, aaron <aaron at pd.org> wrote:
>
>> On 2009, Nov, 02, , at 12:47 PM, Richard Bronosky wrote:
>>> The macgpg stuff is a mess. I suggest installing MacPorts
>>> and then:   sudo port install gnupg2
>>
>> Not sure if by "mess" you mean it may not generate keys properly
>> or if you are talking about known challenges to integrating gpg
>> with certain Apple softwares.  The package I installed seems to
>> have worked for me in producing keys, but please share if you
>> know of potential or hidden problems with keys made with the
>> latest Mac GnuPG2 release.
>>
>> As for the MacPorts suggestion... I went the Fink route pretty
>> early on and, as I understand it, Fink and MacPorts don't play
>> well together. I should probably make the effort to switch,
>> though, since MacPorts seems to have become the better supported
>> path to OSS Free Software ports for Mac.
>>
>> Thanks for the note and suggestion!
>>
>> peace
>> aaron
>>
>>
>>
>>> On Mon, Nov 2, 2009 at 12:26 PM, aaron <aaron at pd.org> wrote:
>>>> This past weekend I dove into doing my homework for the Key
>>>> signing party at the November 19th ALE meeting.  To follow
>>>> Michael's recommendation of generating an RSA / RSA pair
>>>> using Mac OSeX requires the latest GnuPG2 packages.
>>>>
>>>> I found them at:
>>>>
>>>> <http://sourceforge.net/projects/macgpg2/files/>
>>>>
>>>> It's a simple unzip / mpkg install, but requires OSeX 10.4.x
>>>> or better.  Though not explicitly stated, it seems to be a
>>>> Universal binary since it installs and runs on my PPC systems
>>>> without issue.
>>>>
>>>> With Mac gpg2, RSA / RSA is the default 1st choice of --gen-key
>>>> Other useful info and GUI based MacGPG tools can be found at:
>>>> <http://macgpg.sourceforge.net/>
>>>>
>>>> Also, in trying to do a write up for the event, I found a
>>>> very informative "How To [GPG] Party" page that covers a lot
>>>> of aspects of the WHY as well as the HOW of the web of trust
>>>> and such...
>>>>
>>>> <http://cryptnet.net/fdp/crypto/keysigning_party/en/
>>>> keysigning_party.html>
>>>>
>>>> HTH!
>>>> peace
>>>> aaron
>>>>
>>>>
>>>>
>>>>
>>>> On 2009, Oct, 27, , at 9:14 PM, Michael H. Warfield wrote:
>>>>> Hello all!
>>>>>
>>>>> Aaron approached me a couple of days about about running a PGP/
>>>>> GPG key
>>>>> signing party for the November ALE meeting.  Looking back, it looks
>>>>> like
>>>>> the last one was 6-1/2 years ago!  Wow, time flies...  Ok...  So be
>>>>> it.
>>>>>
>>>>> I will do a VERY BRIEF intro to public key cryptography before the
>>>>> meeting but a successful key signing party depends on preparation
>>>>> in
>>>>> advance on the part of the participants!  Even well organized
>>>>> keysigning
>>>>> parties can degenerate into chaos very easily.  Do not come to the
>>>>> meeting looking to learn how to create a new key.  You should have
>>>>> your
>>>>> keys ready in advance.  If not, still come, but understand that
>>>>> you'll
>>>>> learn some thing about PGP but you probably won't walk away with
>>>>> keys or
>>>>> signatures.
>>>>>
>>>>> To make this go smoothly, I will collect keys in advance of the
>>>>> meeting
>>>>> and print out sheets with key fingerprints.  That saves an
>>>>> incredible
>>>>> amount of time and effort during the actual meeting and gives me an
>>>>> idea
>>>>> of how may keys to expect and copies to make.  It also permits me
>>>>> to
>>>>> have a collected keyring I can make available to everyone after the
>>>>> meeting.  Please expect to provide at least one photo id which
>>>>> will be
>>>>> projected on a screen for everyone to see (sensitive numbers will
>>>>> be
>>>>> blacked out with tape).  Drivers license or passport are preferred.
>>>>>
>>>>> With recent developments in cryptography, some doubt is being
>>>>> cast on
>>>>> the DSS/DSA keys.  Debian folks are strongly recommending a
>>>>> return to
>>>>> RSA keys and have some "procedures" in place for this.
>>>>>
>>>>> http://www.debian-administration.org/users/dkg/weblog/48
>>>>>
>>>>> If you are thinking it's time to dump off the old DSS/DSA keys and
>>>>> migrate back to an RSA 2048 bit key, now is the time as well.  My
>>>>> older
>>>>> RSA 1024 bit key is still active and I have a DSS/DSA key as well
>>>>> but
>>>>> these are both being relegated to "legacy" and I now have a 2048/
>>>>> R key
>>>>> (0x674627FF).  I'm not invalidating my old keys but I will only
>>>>> now be
>>>>> using them for key signing (my 0xDF1DD471 key is in the web of
>>>>> trust
>>>>> book and still in the PGP strong set).
>>>>>
>>>>> If you're not running the latest GnuPG, which should now be
>>>>> defaulting
>>>>> to RSA/RSA keys, it can get a little bit tricky to create a new
>>>>> style
>>>>> RSA key.  With older (default DSS/DSA) versions of GunPG, you
>>>>> should
>>>>> create a new key but don't accept the default DSA and select "RSA
>>>>> (sign
>>>>> only)" key instead.  Once the key is created, edit that key and
>>>>> add an
>>>>> RSA encryption key to it.
>>>>>
>>>>> Better yet, update your GnuPG and the default will create the new
>>>>> key
>>>>> like you want (RSA and RSA - sign and encrypt).  If you don't
>>>>> have a
>>>>> current key and you don't know what any of this is about, that's
>>>>> fine.
>>>>> Just create a new RSA key for yourself (if it says RSA and RSA -
>>>>> TAKE
>>>>> THAT OPTION).  If you don't see that option available, ask for
>>>>> help or
>>>>> update your system first.
>>>>>
>>>>> What I need from YOU!  Well in advance of the meeting, please send
>>>>> your
>>>>> PGP public keys to alekeyparty at wittsend.com.  If you do not have
>>>>> a PGP
>>>>> key and are just looking to get started, the time to start is right
>>>>> now!
>>>>> The time is NOT at a key signing party.  This list has some very
>>>>> bright
>>>>> folks on it who can help you out if you are having difficulties.  I
>>>>> will
>>>>> try to answer questions as best I can, but ask them now.
>>>>>
>>>>> Last time, we had a few people who did not submit their keys in
>>>>> advance.
>>>>> That's fine as long as it's not excessive or we will be there all
>>>>> night.
>>>>> At the very least, if you don't submit your keys in advance, your
>>>>> keys
>>>>> must be on the public keyservers and you should come with
>>>>> printouts of
>>>>> your key fingerprint.  I have business cards on which I have my key
>>>>> fingerprints printed.  Some people use little strips of paper.
>>>>> All of
>>>>> that is fine but it should be on "dead trees edition" and enough
>>>>> copies
>>>>> so you can pass them out and people can make notes on them.
>>>>>
>>>>> Procedure at the meeting...  People who submitted their keys go
>>>>> first.
>>>>> We will pass out the preprinted sheets and then call people up to
>>>>> project their id's.  The audience can then take notes on the sheets
>>>>> that
>>>>> they have confirmed their identification (anyone not showing up
>>>>> obviously is not confirmed AND SHOULD NOT BE SIGNED).  After that,
>>>>> anyone with keysigning cards or other information to pass out can
>>>>> go
>>>>> from there.  Anyone not prepared, we'll do what we can but you pays
>>>>> your
>>>>> nickel and you takes your chance.
>>>>>
>>>>> Procedure after the meeting...  I'll update MY keyring with any
>>>>> last
>>>>> minute additions, clean out the "no shows", and then make an
>>>>> announcement to the list.  You can then download that keyring and
>>>>> sign
>>>>> those keys which you feel comfortable that you confirmed their
>>>>> identity.
>>>>> You can then submit them to a public key server or send them back
>>>>> to the
>>>>> same E-Mail address above and I'll submit them in bulk.
>>>>>
>>>>> Any questions, please feel free to ping me but please do it early.
>>>>> We've only got about 3 weeks before this thing.
>>>>>
>>>>> Side note.  I'm looking into also including a CA-Cert web of trust
>>>>> verification.  That's for X.509 certificates from CA-Cert
>>>>> <http://www.cacert.org>.  If you are interested, go up to their
>>>>> site and
>>>>> see what the deal is there.  Being preregistered with them
>>>>> helps.  You
>>>>> can get free X.509 S/Mime certificates and register OpenID with
>>>>> them,
>>>>> them.  That all depends on me getting some additional CA-Cert
>>>>> "assurers"
>>>>> involved (there are several in the area).  We did this at USENIX
>>>>> Lisa a
>>>>> couple of years back and it works in real well with a keysigning
>>>>> party.
>>>>> I'll post more details once I know more, if I can pull that off.
>>>>>
>>>>> Regards,
>>>>> Mike
>>>>> --
>>>>> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>>>>>   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://
>>>>> www.wittsend.com/mhw/
>>>>>   NIC whois: MHW9          | An optimist believes we live in the
>>>>> best of all
>>>>> PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
>>>>> of it!
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>
>>> --
>>> .!# RichardBronosky #!.
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
Sent from my mobile device

.!# RichardBronosky #!.


More information about the Ale mailing list