[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving to stronger keys than 1024D

Stefano Zacchiroli dixit:

>> The more useful question is how many of the signatures on your new key
>> come from strong keys, and how many strong keys have you signed with
>> that new key?
>
>Right. If you happen to have a oneliner to verify that I'll be happy to
>answer these questions :)

Not exactly oneliner, but maybe this helps.
It does assume both your key and the keys you signed are
uploaded to hkp://pgp.surfnet.nl though, as it parses its
statistics webinterface (updated once a month or so, thanks
to our own Christoph Egger).

For Zack’s new RSA key, the sample session looks like this:

tg@freewrt:~ $ mksh chkkeys.ksh 6D866396
I: </BLOCKQUOTE><H4>cross signatures : 272</H4>
I: <H4>other  signatures : 57</H4>
I: <H4>other  keys signed by this key : 47</H4>
got 272 cross signatures, 57 signatures, 47 keys signed by this key
got 328 signatures in total, 319 keys signed in total
expect this to be 329 and 319, respectively
Types of signatures:
    211 4096R
     96 1024D
     17 2048R
      2 2048D
      2 1024R
      1 8192R
      1 3072R
Types of keys signed:
    220 4096R
     82 1024D
     13 2048R
      2 2048D
      2 1024R
      1 8192R
      1 3072R

Hrm, the parser is not perfect apparently (the numbers are off;
they’re right for the keys I tested it with originally). But it
at least gives somewhat good estimates.

Have fun,
//mirabilos
-- 
FWIW, I'm quite impressed with mksh interactively. I thought it was much
*much* more bare bones. But it turns out it beats the living hell out of
ksh93 in that respect. I'd even consider it for my daily use if I hadn't
wasted half my life on my zsh setup. :-) -- Frank Terbeck in #!/bin/mksh
#!/bin/mksh
#-
# Copyright (c) 2013
#	Thorsten Glaser <tg@debian.org>
#
# Provided that these terms and disclaimer and all copyright notices
# are retained or reproduced in an accompanying document, permission
# is granted to deal in this work without restriction, including un-
# limited rights to use, publicly perform, distribute, sell, modify,
# merge, give away, or sublicence.
#
# This work is provided "AS IS" and WITHOUT WARRANTY of any kind, to
# the utmost extent permitted by applicable law, neither express nor
# implied; without malicious intent or gross negligence. In no event
# may a licensor, author or contributor be held liable for indirect,
# direct, other damage, loss, or other issues arising in any way out
# of dealing in the work, even if advised of the possibility of such
# damage or existence of a defect, except proven that it results out
# of said person's immediate fault when using the work as intended.

typeset -u keyid=${1#0[Xx]}

if [[ $keyid != [0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F] ]]; then
	print -u2 "E: Syntax: $0 12345678 (where 12345678 is your key ID)"
	exit 1
fi

set -A signatures
set -A signedby
ncross=0
nsignatures=0
nsignedby=0

wget -qO - "http://pgp.cs.uu.nl/mk_path.cgi?STAT=${keyid}&STATS=statistics"; |&
state=0
while IFS= read -pr line; do
	case $state:$line {
	(0:*'H4>cross signatures'*)
		state=1
		print -r "I: $line"
		;;
	(1:*'H4>other  signatures'*)
		state=2
		print -r "I: $line"
		;;
	(2:*'H4>other  keys signed by this key'*)
		state=3
		print -r "I: $line"
		;;
	(3:'<HR>')
		state=4
		;;
	(1:*'<TT><SMALL>'[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F]'</SMALL></TT>'*)
		line=${line##*'<TT><SMALL>'}
		line=${line%%'</SMALL></TT>'*}
		if [[ $line != [0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F] ]]; then
			print -u2 'E: parsing failed'
			exit 1
		fi
		let ncross++
		signatures[0x$line]=1
		signedby[0x$line]=1
		;;
	(2:*'<TT><SMALL>'[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F]'</SMALL></TT>'*)
		line=${line##*'<TT><SMALL>'}
		line=${line%%'</SMALL></TT>'*}
		if [[ $line != [0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F] ]]; then
			print -u2 'E: parsing failed'
			exit 1
		fi
		let nsignatures++
		signatures[0x$line]=1
		;;
	(3:*'<TT><SMALL>'[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F]'</SMALL></TT>'*)
		line=${line##*'<TT><SMALL>'}
		line=${line%%'</SMALL></TT>'*}
		if [[ $line != [0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F] ]]; then
			print -u2 'E: parsing failed'
			exit 1
		fi
		let nsignedby++
		signedby[0x$line]=1
		;;
	(?:*'H4>cross signatures'*)
		print "W: wrong input state $state"
		state=1
		print -r "I: $line"
		;;
	(?:*'H4>other  signatures'*)
		print "W: wrong input state $state"
		state=2
		print -r "I: $line"
		;;
	(?:*'H4>other  keys signed by this key'*)
		print "W: wrong input state $state"
		state=3
		print -r "I: $line"
		;;
	}
done

print "got $ncross cross signatures, $nsignatures signatures, $nsignedby keys signed by this key"
print "got ${#signatures[*]} signatures in total, ${#signedby[*]} keys signed in total"
print "expect this to be $((ncross+nsignatures)) and $((ncross+nsignedby)), respectively"

set -A keyinfo
set -A needinfo
for key in ${!signatures[*]} ${!signedby[*]}; do
	needinfo[key]=1
done

typeset -Uui16 -Z11 key
for key in ${!needinfo[*]}; do
	x=$(wget -qO - "http://pgp.surfnet.nl:11371/pks/lookup?op=index&search=0x${key#16#}"; | \
	    sed -n '/^pub  \([^\/][^\/]*\)\/.*$/s//\1/p')
	keyinfo[key]=$x
	[[ -n $x ]] || print "W: no key info for key ${key#16#}"
done

print Types of signatures:
for key in ${!signatures[*]}; do
	print -r -- "${keyinfo[key]:-/unknown}"
done | sort | uniq -c | sort -nr
print Types of keys signed:
for key in ${!signedby[*]}; do
	print -r -- "${keyinfo[key]:-/unknown}"
done | sort | uniq -c | sort -nr
Reply to: