Skip to content

Instantly share code, notes, and snippets.

@johnlane johnlane/gpgtest.sh
Created Jan 18, 2017

Embed
What would you like to do?
Testing GNUPG trust-signatures
#!/bin/sh
#
export GNUPGHOME
echo -----------------------------------------------------------------
echo VERSION INFORMATION
gpg --version
uname -vimposr
echo
echo -----------------------------------------------------------------
echo STEP 1 : Generate test keys and export them
for n in myself@example.co.uk introducer@example.com alice@example.net blake@example.org chloe@example.fr david@example.es
do
GNUPGHOME="$(pwd)/sandbox/$n"
rm -rf "$GNUPGHOME"
mkdir -p -m 700 "$GNUPGHOME"
cat<<-EOF|gpg --batch --gen-key
%echo Generating $n
%no-protection
Key-Type: RSA
Key-Length: 1024
Name-Real: ${n%@*}
Name-Email: $n
EOF
gpg --export $n > $GNUPGHOME/$n.gpg
done
echo
echo -----------------------------------------------------------------
echo STEP 2 : my introducer knows alice and blake
echo import keys into the introducer\'s key-ring sign them and export
echo apply level 1 unrestricted trust-signature to blake
GNUPGHOME="$(pwd)/sandbox/introducer@example.com"
for n in alice@example.net #blake@example.org
do
gpg --import "$GNUPGHOME/../$n/$n.gpg"
yes | gpg --command-fd 0 --sign-key $n
gpg --export $n > $GNUPGHOME/$n.gpg
done
for n in blake@example.org
do
gpg --import "$GNUPGHOME/../$n/$n.gpg"
cat<<-EOF|gpg --command-fd 0 --edit-key $n
tsign
2
1
y
save
EOF
gpg --export $n > $GNUPGHOME/$n.gpg
done
echo
echo -----------------------------------------------------------------
echo STEP 3 : blake knows chloe and david
echo import keys into blake\'s key-ring sign them and export
GNUPGHOME="$(pwd)/sandbox/blake@example.org"
for n in chloe@example.fr david@example.es
do
gpg --import "$GNUPGHOME/../$n/$n.gpg"
yes | gpg --command-fd 0 --sign-key $n
gpg --export $n > $GNUPGHOME/$n.gpg
done
echo
echo -----------------------------------------------------------------
echo STEP 4 : import signed keys and show that they are not valid : unknown
GNUPGHOME="$(pwd)/sandbox/myself@example.co.uk"
for n in introducer@example.com alice@example.net blake@example.org
do
gpg --import $GNUPGHOME/../introducer@example.com/$n.gpg
gpg --list-sigs $n
done
for n in chloe@example.fr david@example.es
do
gpg --import $GNUPGHOME/../blake@example.org/$n.gpg
gpg --list-sigs $n
done
echo
echo -----------------------------------------------------------------
echo STEP 5 : Sign the introducer\'s key
yes | gpg --command-fd 0 --sign-key introducer@example.com
gpg --list-sigs introducer@example.com | grep myself@example.co.uk
echo
echo -----------------------------------------------------------------
echo STEP 6 : Show only introducer is valid
echo alice and blake are invalid - undef
echo they are signed by a key that myself has certified but not trusted
echo chole and david are unknown
echo they are signed by a key that myself has neither certified nor trusted
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \
chloe@example.fr david@example.es
echo
echo -----------------------------------------------------------------
echo STEP 7 : Change introducer\'s certification to level 1 trust signature
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com
uid 1
delsig
n
y
tsign
2
1
y
save
EOF
gpg --list-sigs introducer@example.com | grep myself@example.co.uk
echo
echo -----------------------------------------------------------------
echo STEP 8 : Show introducer, alice and blake are fully valid
echo introducer is fully valid
echo it is certified and trusted by myself
echo alice and blake are fully valid
echo they are certified by introducer who myself trusts
echo chloe and david have undef validity
echo they are signed by blake who is certified by introducer
echo but myself does not trust introducer to level 2
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \
chloe@example.fr david@example.es
echo
echo -----------------------------------------------------------------
echo STEP 9 : Change level 1 trust signature to allow only example.org
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com
uid 1
delsig
n
y
tsign
2
1
example.org
y
save
EOF
gpg --list-sigs introducer@example.com | grep myself@example.co.uk
echo
echo -----------------------------------------------------------------
echo STEP 10 : Show introduced keys are now invalid : unknown
echo -- should blake@example.org still be fully valid here ?
echo -- why do alice, blake, chloe and david change to unknown ?
echo -- expected undef full undef undef
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \
chloe@example.fr david@example.es
echo STEP 11 : -----------------------------------------------------------------
echo Change to level 2 trust signature - no domain restriction
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com
uid 1
delsig
n
y
tsign
2
2
y
save
EOF
gpg --list-sigs introducer@example.com | grep myself@example.co.uk
echo
echo -----------------------------------------------------------------
echo STEP 12 : Show introduced keys are now fully valid
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \
chloe@example.fr david@example.es
echo
echo -----------------------------------------------------------------
echo STEP 13 : Change level 2 trust signature to allow only example.org
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com
uid 1
delsig
n
y
tsign
2
2
example.org
y
save
EOF
gpg --list-sigs introducer@example.com | grep myself@example.co.uk
echo
echo -----------------------------------------------------------------
echo STEP 14 : Show introduced keys are now invalid : unknown
echo -- should blake@example.org be fully valid here ?
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \
chloe@example.fr david@example.es
echo
echo -----------------------------------------------------------------
echo STEP 15 : Change level 2 trust signature to allow only example.es
cat<<-EOF|gpg --command-fd 0 --edit-key introducer@example.com
uid 1
delsig
n
y
tsign
2
2
example.es
y
save
EOF
gpg --list-sigs introducer@example.com | grep myself@example.co.uk
echo
echo -----------------------------------------------------------------
echo STEP 16 : Show introduced keys are now invalid : unknown
echo -- should david@example.es be fully valid here ?
gpg --list-sigs introducer@example.com alice@example.net blake@example.org \
chloe@example.fr david@example.es
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.