On 04/23/2009 12:59 PM, Ana Guerrero wrote: > On Thu, Apr 23, 2009 at 12:45:11PM -0400, Daniel Kahn Gillmor wrote: >> If someone could to point me to the scripts, i can try to take a look at >> writing this logic in something more effective than pseudocode. > > It is at: > > http://svn.debian.org:80/viewsvn/nm/trunk/nm-templates/keycheck.sh Thanks, Ana. Interestingly, the expiration date-checking code seems to only check for the expiration of subkeys. For most gpg-generated keys (those generated using the defaults), this will probably identify encryption keys only. Is this the desired functionality? The comments in the latest version also suggest that the check is in place for the initial password send-out, since they are concerned about the duration immediately after the report. (although 1 month after AM report doesn't seem to be sufficient with current delays between FD and DAM checkoff, but that's another issue entirely) Attached is an implementation of the checks i think are correct: The rather too-long embedded awk script makes sure that a particular usage flag expires after a particular time. It is then invoked twice, once for encryption keys and once for signing keys. There are a couple of other minor cleanups in there too. I don't have write access to the nm svn, but i offer these changes under GPL-2 (like the rest of the file), and would be happy if anyone wanted to apply it. Regards, --dkg
Index: keycheck.sh
===================================================================
--- keycheck.sh (revision 1052)
+++ keycheck.sh (working copy)
@@ -10,13 +10,19 @@
#
# This little (and maybe bad) script is used by me (and maybe others) to
# check keys from NM's.
+#
# First it syncs local copies of the debian-keyring with keyring.d.o
# (the keyring package is too old) and then it downloads the
# key of the NM from a keyserver in the local nm.gpg file.
+#
# After that it shows the key and all signatures made by an
# existing Debian Developer and prior NM (except if you delete the key from
# nm.gpg after this.
#
+# finally, it checks to make sure that the key has encryption and
+# signature capabilities, and will continue to have them one month
+# into the future.
+#
# ~/debian/keyring.debian.org/keyrings/ will be created if it doesn't exist.
#
# Usage:
@@ -49,32 +55,75 @@
echo "Syncing Debian Keyrings with rsync from keyring.debian.org"
rsync -qcltz --block-size=8192 --partial --progress --exclude='emeritus-*' --exclude='removed-*' 'keyring.debian.org::keyrings/keyrings/*' $DESTDIR/.
echo "Receiving and checking key"
-gpg $2 ${GPGOPTS} --keyserver=$KEYSERVER --recv-keys 0x$KEYID
+gpg $2 ${GPGOPTS} --keyserver=$KEYSERVER --recv-keys "0x$KEYID"
gpg $2 ${GPGOPTS} -v --with-fingerprint --keyring $DESTDIR/debian-keyring.gpg --keyring $DESTDIR/debian-keyring.pgp --check-sigs $KEYID
echo "Let's test if its a version 4 or greater key"
-VERSION=$(gpg ${GPGOPTS} --with-colons --with-fingerprint --list-keys 0x$KEYID | awk -F : '$1 == "fpr" {print length($10)}')
+VERSION=$(gpg ${GPGOPTS} --with-colons --with-fingerprint --list-keys "0x$KEYID" | awk -F : '$1 == "fpr" {print length($10)}')
if [ $VERSION -eq 32 ]; then
echo "Warning: It looks like this key is an Version 3 GPG key. This is bad."
echo "This is not accepted for the NM ID Step. Please doublecheck and then"
echo "get your applicant to send you a correct key if this is script isnt wrong."
else
- echo "Key is ok"
+ echo "Key is OpenPGP version 4 or greater. Good!"
fi
+# this awk script checks to see whether the key details on stdin show
+# a valid usage flag for a given future date.
+# (author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>)
+#
+# it needs two variables set before invocation:
+# KEYFLAG: which flag are we looking for? (see http://tools.ietf.org/html/rfc4880#section-5.2.3.21
+# gpg supports at least:
+# a (authentication), e (encryption), s (signing), c (certification)
+# TARGDATE: unix timestamp of date that we care about
+AWK_CHECKDATE='
+ BEGIN {
+ PRIFLAGS = "";
+ SUBFOUND = 0;
+ }
+ $1 == "pub" && $2 != "r" {
+ PRIFLAGS = $12;
+ PRIEXP = $7;
+ PRIFPR = $5;
+ }
+ $1 == "sub" && $2 != "r" && $12 ~ KEYFLAG {
+ if (!SUBFOUND || $7 == "" || (SUBEXP != "" && $7 > SUBEXP) )
+ SUBEXP = $7;
+ SUBFOUND = 1;
+ }
+ END {
+ if (PRIFLAGS ~ KEYFLAG)
+ EXPIRES=PRIEXP;
+ else if (!SUBFOUND)
+ { print "No valid \"" KEYFLAG "\" usage flag set on key 0x" PRIFPR "!" ; exit 1 }
+ else if (PRIEXP != "" && PRIEXP < SUBEXP)
+ EXPIRES=PRIEXP;
+ else
+ EXPIRES=SUBEXP;
+ if ( "" == EXPIRES )
+ print "Valid \"" KEYFLAG "\" flag on key 0x" PRIFPR ", no expiration";
+ else if ( EXPIRES > TARGDATE )
+ print "Valid \"" KEYFLAG "\" flag on key 0x" PRIFPR ", expires " strftime("%c", EXPIRES) ", OK!";
+ else {
+ print "Valid \"" KEYFLAG "\" flag on key 0x" PRIFPR ", but it expires " strftime("%c", EXPIRES);
+ print "This is too soon!";
+ print "Please ask the applicant to extend the lifetime of their OpenPGP key!";
+ exit 1;
+ }
+ }
+'
+
+# we want to make sure that there will be usable, valid keys a month in the future:
+EXPCUTOFF=$(( $(date +%s) + 86400*31 ))
+
echo "Check for key expire stuff"
-EXPIRE=$(gpg ${GPGOPTS} --with-colons --check-sigs 0x$KEYID |awk -F : ' $1 == "sub" && $2 != "r" {print $7} ')
+gpg ${GPGOPTS} --with-colons --fixed-list-mode --list-key "0x$KEYID" | \
+ awk -F : -v KEYFLAG=e -v "TARGDATE=$EXPCUTOFF" "$AWK_CHECKDATE"
+gpg ${GPGOPTS} --with-colons --fixed-list-mode --list-key "0x$KEYID" | \
+ awk -F : -v KEYFLAG=s -v "TARGDATE=$EXPCUTOFF" "$AWK_CHECKDATE"
-if [ -z $EXPIRE ]; then
- echo "Key has no expiration date set, nothing to check."
-else
- echo "Key has an expiration date of ${EXPIRE}."
- echo "Please check that its not in the past, AND that it is more than one"
- echo "month in the future at the time you will sent your DAM report!"
- echo "Thank you."
-fi
-
if [ "$DELETE" = "yes" ]; then
rm -f $DESTDIR/nm.gpg
fi
Attachment:
signature.asc
Description: OpenPGP digital signature