Created
January 18, 2017 14:38
Testing GNUPG trust-signatures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
export GNUPGHOME | |
echo ----------------------------------------------------------------- | |
echo VERSION INFORMATION | |
gpg --version | |
uname -vimposr | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 1 : Generate test keys and export them | |
for n in myself@example.co.uk introducer@example.com alice@example.net blake@example.org chloe@example.fr david@example.es | |
do | |
GNUPGHOME="$(pwd)/sandbox/$n" | |
rm -rf "$GNUPGHOME" | |
mkdir -p -m 700 "$GNUPGHOME" | |
cat<<-EOF|gpg --batch --gen-key | |
%echo Generating $n | |
%no-protection | |
Key-Type: RSA | |
Key-Length: 1024 | |
Name-Real: ${n%@*} | |
Name-Email: $n | |
EOF | |
gpg --export $n > $GNUPGHOME/$n.gpg | |
done | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 2 : my introducer knows alice and blake | |
echo import keys into the introducer\'s key-ring sign them and export | |
echo apply level 1 unrestricted trust-signature to blake | |
GNUPGHOME="$(pwd)/sandbox/introducer@example.com" | |
for n in alice@example.net #blake@example.org | |
do | |
gpg --import "$GNUPGHOME/../$n/$n.gpg" | |
yes | gpg --command-fd 0 --sign-key $n | |
gpg --export $n > $GNUPGHOME/$n.gpg | |
done | |
for n in blake@example.org | |
do | |
gpg --import "$GNUPGHOME/../$n/$n.gpg" | |
cat<<-EOF|gpg --command-fd 0 --edit-key $n | |
tsign | |
2 | |
1 | |
y | |
save | |
EOF | |
gpg --export $n > $GNUPGHOME/$n.gpg | |
done | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 3 : blake knows chloe and david | |
echo import keys into blake\'s key-ring sign them and export | |
GNUPGHOME="$(pwd)/sandbox/blake@example.org" | |
for n in chloe@example.fr david@example.es | |
do | |
gpg --import "$GNUPGHOME/../$n/$n.gpg" | |
yes | gpg --command-fd 0 --sign-key $n | |
gpg --export $n > $GNUPGHOME/$n.gpg | |
done | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 4 : import signed keys and show that they are not valid : unknown | |
GNUPGHOME="$(pwd)/sandbox/myself@example.co.uk" | |
for n in introducer@example.com alice@example.net blake@example.org | |
do | |
gpg --import $GNUPGHOME/../introducer@example.com/$n.gpg | |
gpg --list-sigs $n | |
done | |
for n in chloe@example.fr david@example.es | |
do | |
gpg --import $GNUPGHOME/../blake@example.org/$n.gpg | |
gpg --list-sigs $n | |
done | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 5 : Sign the introducer\'s key | |
yes | gpg --command-fd 0 --sign-key introducer@example.com | |
gpg --list-sigs introducer@example.com | grep myself@example.co.uk | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 6 : Show only introducer is valid | |
echo alice and blake are invalid - undef | |
echo they are signed by a key that myself has certified but not trusted | |
echo chole and david are unknown | |
echo they are signed by a key that myself has neither certified nor trusted | |
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \ | |
chloe@example.fr david@example.es | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 7 : Change introducer\'s certification to level 1 trust signature | |
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com | |
uid 1 | |
delsig | |
n | |
y | |
tsign | |
2 | |
1 | |
y | |
save | |
EOF | |
gpg --list-sigs introducer@example.com | grep myself@example.co.uk | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 8 : Show introducer, alice and blake are fully valid | |
echo introducer is fully valid | |
echo it is certified and trusted by myself | |
echo alice and blake are fully valid | |
echo they are certified by introducer who myself trusts | |
echo chloe and david have undef validity | |
echo they are signed by blake who is certified by introducer | |
echo but myself does not trust introducer to level 2 | |
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \ | |
chloe@example.fr david@example.es | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 9 : Change level 1 trust signature to allow only example.org | |
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com | |
uid 1 | |
delsig | |
n | |
y | |
tsign | |
2 | |
1 | |
example.org | |
y | |
save | |
EOF | |
gpg --list-sigs introducer@example.com | grep myself@example.co.uk | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 10 : Show introduced keys are now invalid : unknown | |
echo -- should blake@example.org still be fully valid here ? | |
echo -- why do alice, blake, chloe and david change to unknown ? | |
echo -- expected undef full undef undef | |
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \ | |
chloe@example.fr david@example.es | |
echo STEP 11 : ----------------------------------------------------------------- | |
echo Change to level 2 trust signature - no domain restriction | |
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com | |
uid 1 | |
delsig | |
n | |
y | |
tsign | |
2 | |
2 | |
y | |
save | |
EOF | |
gpg --list-sigs introducer@example.com | grep myself@example.co.uk | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 12 : Show introduced keys are now fully valid | |
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \ | |
chloe@example.fr david@example.es | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 13 : Change level 2 trust signature to allow only example.org | |
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com | |
uid 1 | |
delsig | |
n | |
y | |
tsign | |
2 | |
2 | |
example.org | |
y | |
save | |
EOF | |
gpg --list-sigs introducer@example.com | grep myself@example.co.uk | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 14 : Show introduced keys are now invalid : unknown | |
echo -- should blake@example.org be fully valid here ? | |
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \ | |
chloe@example.fr david@example.es | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 15 : Change level 2 trust signature to allow only example.es | |
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com | |
uid 1 | |
delsig | |
n | |
y | |
tsign | |
2 | |
2 | |
example.es | |
y | |
save | |
EOF | |
gpg --list-sigs introducer@example.com | grep myself@example.co.uk | |
echo | |
echo ----------------------------------------------------------------- | |
echo STEP 16 : Show introduced keys are now invalid : unknown | |
echo -- should david@example.es be fully valid here ? | |
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \ | |
chloe@example.fr david@example.es |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment