Created
January 18, 2017 14:38
-
-
Save johnlane/07dab4d0acfcaf329e3da3e925954281 to your computer and use it in GitHub Desktop.
Testing GNUPG trust-signatures
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| export GNUPGHOME | |
| echo ----------------------------------------------------------------- | |
| echo VERSION INFORMATION | |
| gpg --version | |
| uname -vimposr | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 1 : Generate test keys and export them | |
| for n in [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] | |
| do | |
| GNUPGHOME="$(pwd)/sandbox/$n" | |
| rm -rf "$GNUPGHOME" | |
| mkdir -p -m 700 "$GNUPGHOME" | |
| cat<<-EOF|gpg --batch --gen-key | |
| %echo Generating $n | |
| %no-protection | |
| Key-Type: RSA | |
| Key-Length: 1024 | |
| Name-Real: ${n%@*} | |
| Name-Email: $n | |
| EOF | |
| gpg --export $n > $GNUPGHOME/$n.gpg | |
| done | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 2 : my introducer knows alice and blake | |
| echo import keys into the introducer\'s key-ring sign them and export | |
| echo apply level 1 unrestricted trust-signature to blake | |
| GNUPGHOME="$(pwd)/sandbox/[email protected]" | |
| for n in [email protected] #[email protected] | |
| do | |
| gpg --import "$GNUPGHOME/../$n/$n.gpg" | |
| yes | gpg --command-fd 0 --sign-key $n | |
| gpg --export $n > $GNUPGHOME/$n.gpg | |
| done | |
| for n in [email protected] | |
| do | |
| gpg --import "$GNUPGHOME/../$n/$n.gpg" | |
| cat<<-EOF|gpg --command-fd 0 --edit-key $n | |
| tsign | |
| 2 | |
| 1 | |
| y | |
| save | |
| EOF | |
| gpg --export $n > $GNUPGHOME/$n.gpg | |
| done | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 3 : blake knows chloe and david | |
| echo import keys into blake\'s key-ring sign them and export | |
| GNUPGHOME="$(pwd)/sandbox/[email protected]" | |
| for n in [email protected] [email protected] | |
| do | |
| gpg --import "$GNUPGHOME/../$n/$n.gpg" | |
| yes | gpg --command-fd 0 --sign-key $n | |
| gpg --export $n > $GNUPGHOME/$n.gpg | |
| done | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 4 : import signed keys and show that they are not valid : unknown | |
| GNUPGHOME="$(pwd)/sandbox/[email protected]" | |
| for n in [email protected] [email protected] [email protected] | |
| do | |
| gpg --import $GNUPGHOME/../[email protected]/$n.gpg | |
| gpg --list-sigs $n | |
| done | |
| for n in [email protected] [email protected] | |
| do | |
| gpg --import $GNUPGHOME/../[email protected]/$n.gpg | |
| gpg --list-sigs $n | |
| done | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 5 : Sign the introducer\'s key | |
| yes | gpg --command-fd 0 --sign-key [email protected] | |
| gpg --list-sigs [email protected] | grep [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 6 : Show only introducer is valid | |
| echo alice and blake are invalid - undef | |
| echo they are signed by a key that myself has certified but not trusted | |
| echo chole and david are unknown | |
| echo they are signed by a key that myself has neither certified nor trusted | |
| gpg --list-sigs [email protected] [email protected] [email protected] \ | |
| [email protected] [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 7 : Change introducer\'s certification to level 1 trust signature | |
| cat<<-EOF|gpg --command-fd 0 --edit-key [email protected] | |
| uid 1 | |
| delsig | |
| n | |
| y | |
| tsign | |
| 2 | |
| 1 | |
| y | |
| save | |
| EOF | |
| gpg --list-sigs [email protected] | grep [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 8 : Show introducer, alice and blake are fully valid | |
| echo introducer is fully valid | |
| echo it is certified and trusted by myself | |
| echo alice and blake are fully valid | |
| echo they are certified by introducer who myself trusts | |
| echo chloe and david have undef validity | |
| echo they are signed by blake who is certified by introducer | |
| echo but myself does not trust introducer to level 2 | |
| gpg --list-sigs [email protected] [email protected] [email protected] \ | |
| [email protected] [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 9 : Change level 1 trust signature to allow only example.org | |
| cat<<-EOF|gpg --command-fd 0 --edit-key [email protected] | |
| uid 1 | |
| delsig | |
| n | |
| y | |
| tsign | |
| 2 | |
| 1 | |
| example.org | |
| y | |
| save | |
| EOF | |
| gpg --list-sigs [email protected] | grep [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 10 : Show introduced keys are now invalid : unknown | |
| echo -- should [email protected] still be fully valid here ? | |
| echo -- why do alice, blake, chloe and david change to unknown ? | |
| echo -- expected undef full undef undef | |
| gpg --list-sigs [email protected] [email protected] [email protected] \ | |
| [email protected] [email protected] | |
| echo STEP 11 : ----------------------------------------------------------------- | |
| echo Change to level 2 trust signature - no domain restriction | |
| cat<<-EOF|gpg --command-fd 0 --edit-key [email protected] | |
| uid 1 | |
| delsig | |
| n | |
| y | |
| tsign | |
| 2 | |
| 2 | |
| y | |
| save | |
| EOF | |
| gpg --list-sigs [email protected] | grep [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 12 : Show introduced keys are now fully valid | |
| gpg --list-sigs [email protected] [email protected] [email protected] \ | |
| [email protected] [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 13 : Change level 2 trust signature to allow only example.org | |
| cat<<-EOF|gpg --command-fd 0 --edit-key [email protected] | |
| uid 1 | |
| delsig | |
| n | |
| y | |
| tsign | |
| 2 | |
| 2 | |
| example.org | |
| y | |
| save | |
| EOF | |
| gpg --list-sigs [email protected] | grep [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 14 : Show introduced keys are now invalid : unknown | |
| echo -- should [email protected] be fully valid here ? | |
| gpg --list-sigs [email protected] [email protected] [email protected] \ | |
| [email protected] [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 15 : Change level 2 trust signature to allow only example.es | |
| cat<<-EOF|gpg --command-fd 0 --edit-key [email protected] | |
| uid 1 | |
| delsig | |
| n | |
| y | |
| tsign | |
| 2 | |
| 2 | |
| example.es | |
| y | |
| save | |
| EOF | |
| gpg --list-sigs [email protected] | grep [email protected] | |
| echo | |
| echo ----------------------------------------------------------------- | |
| echo STEP 16 : Show introduced keys are now invalid : unknown | |
| echo -- should [email protected] be fully valid here ? | |
| gpg --list-sigs [email protected] [email protected] [email protected] \ | |
| [email protected] [email protected] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment