State of the debian keyring
I have been asked to share this information.
Firstly, to view a report on your own key, substitute your fingerprint
in the following pipeline:
hkt export-pubkeys --keyring /usr/share/keyrings/debian-keyring.gpg \
"4E46 9519 ED67 7734 268F BD95 8F7B F8FC 4A11 C97A" | hokey lint
The following three reports were generated with debian-keyring
2013.12.13, hopenpgp-tools 0.4-1, jshon 20131010-3, and the
inefficient script attached. It represents incorrect handling of
revoked UIDs and user attributes, and possibly unknown bugs.
"Judgments" are based on this document[0] and are not generalized
per key.
The value `null` could mean "OK". The term "expiration passed"
means that the UID or user attribute has expired. The report
format expresses this poorly, but the correlation of 1024-bit
to DSA keys is exactly 1:1 modulo a single 1024-bit RSA key
in debian-keyring.gpg. Subkeys are ignored as irrelevant for
this analysis.
[0] https://we.riseup.net/debian/openpgp-best-practices
(/usr/share/keyrings/debian-keyring.gpg)
Total keys: 996
Key versions:
996 4
Primary key pubkey algorithms:
623 "DSA"
373 "RSA"
Primary key pubkey sizes:
624 1024
27 2048
2 3072
340 4096
2 8192
1 10240
Total number of UIDs + UAts: 4394
Hash algorithm used for most recent self-sig:
1 "RIPEMD160"
3188 "SHA1"
1041 "SHA256"
1 "SHA384"
163 "SHA512"
Judgment on preferred hash algorithms:
1776 null
2618 "weak hash with higher preference"
Judgment on expiration times:
53 "expiration passed"
111 "expiration too far in future"
3887 "no expiration set"
343 null
(/usr/share/keyrings/debian-maintainers.gpg)
Total keys: 200
Key versions:
200 4
Primary key pubkey algorithms:
54 "DSA"
146 "RSA"
Primary key pubkey sizes:
54 1024
1 1280
13 2048
1 3072
130 4096
1 8192
Total number of UIDs + UAts: 593
Hash algorithm used for most recent self-sig:
294 "SHA1"
234 "SHA256"
65 "SHA512"
Judgment on preferred hash algorithms:
416 null
177 "weak hash with higher preference"
Judgment on expiration times:
9 "expiration passed"
18 "expiration too far in future"
485 "no expiration set"
81 null
(/usr/share/keyrings/debian-nonupload.gpg)
Total keys: 9
Key versions:
9 4
Primary key pubkey algorithms:
9 "RSA"
Primary key pubkey sizes:
1 2048
8 4096
Total number of UIDs + UAts: 25
Hash algorithm used for most recent self-sig:
7 "SHA1"
16 "SHA256"
2 "SHA512"
Judgment on preferred hash algorithms:
24 null
1 "weak hash with higher preference"
Judgment on expiration times:
14 "no expiration set"
11 null
#!/bin/zsh
infile=${1:-/usr/share/keyrings/debian-keyring.gpg}
tempfile=$(mktemp)
trap 'rm ${tempfile}' EXIT
hokey lint --output-format JSON <${infile} >${tempfile}
print -n "Total keys: "
jshon -a -e keyFingerprint <${tempfile} | wc -l
print "Key versions: "
jshon -a -e keyVer -e val <${tempfile} | sort | uniq -c
print "Primary key pubkey algorithms: "
jshon -a -e keyAlgorithmAndSize -e pubkeyalgo -e val <${tempfile} | sort | uniq -c
print "Primary key pubkey sizes: "
jshon -a -e keyAlgorithmAndSize -e pubkeysize -e val <${tempfile} | sort -n | uniq -c
print -n "Total number of UIDs + UAts: "
jshon -a -e keyUIDsAndUAts -k <${tempfile} | wc -l
print "Hash algorithm used for most recent self-sig: "
jshon -a -e keyUIDsAndUAts -a -e uidSelfSigHashAlgorithms -a -e val <${tempfile} | sort | uniq -c
print "Judgment on preferred hash algorithms: "
jshon -a -e keyUIDsAndUAts -a -e uidPreferredHashAlgorithms -a -e explanation <${tempfile} | sort | uniq -c
print "Judgment on expiration times: "
jshon -a -e keyUIDsAndUAts -a -e uidKeyExpirationTimes -a -e explanation <${tempfile} | sort | uniq -c
Reply to: