Skip to content
This repository has been archived by the owner on Feb 2, 2023. It is now read-only.

Submit all the keys on a keylist to keys.openpgp.org, and request email verification for all UIDs

License

Notifications You must be signed in to change notification settings

firstlookmedia/hagrid-verifier

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

hagrid-verifier

This script submits all the keys on a keylist to keys.openpgp.org, and requests email verification for all UIDs.

Why?

The SKS keyserver network is vulnerable to certificate flooding attacks, making it trivial for anyone to prevent anyone else's public key from getting fetched from these servers. And the software that powers SKS keyservers is unmaintained, so there's little chance that this and other critical vulnerabilities will ever get fixed.

If you run a keylist for your organization, it's prudent to migrate all keys on it over to keys.openpgp.org, a new abuse-resistent keyserver that's powered by software called Hagrid. Hagrid has important differences from SKS keyservers that are necessary to understand for those who manage a keylist:

  • Anyone can upload public keys, but by default Hagrid strips all user IDs, signatures, and everything else. Only the cryptographic key material is freely distributed.
  • If a user wants their user ID to be available, this UID needs to contain an email address, and the user needs to opt-in to including their email address by verifying it. Hagrid will send a verification email, and the user must click a link in the email.
  • Because signatures are stripped, Hagrid cannot be used to facilitate the web of trust.

This means that if you subscribe to a keylist and refresh keys from keys.openpgp.org for the first time, you'll download all of the public keys, but only the ones who have opted in will contain UIDs with email addresses, so you'll only be able to send encrypted email to those people.

If you're migrating an existing keylist to using keys.openpgp.org, this script helps you automate opting everyone in. You run it and pass in a JSON keylist filename. For each key in the keylist, it exports the public key from your local gnupg keyring (you must already have these keys imported), uploads it to keys.openpgp.org, and asks if you'd like to request verification emails for all of them. If you choose yes, it requests verification emails in bulk, and all members of the keylist will receive an email from the keyserver with a link they must click.

You can re-run this script at any point to check the status of your keylist, to see which members haven't opted in yet, without re-requesting verification emails.

How?

You need python 3 and pipenv. Install the dependencies:

pipenv install

Run the program:

pipenv run ./hv.py [KEYLIST_FILENAME]

About

Submit all the keys on a keylist to keys.openpgp.org, and request email verification for all UIDs

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages