168 lines
6.5 KiB
Plaintext
168 lines
6.5 KiB
Plaintext
= kant(1)
|
|
Brent Saner
|
|
v1.0.0
|
|
:doctype: manpage
|
|
:manmanual: KANT - Keysigning and Notification Tool
|
|
:mansource: KANT
|
|
:man-linkstyle: pass:[blue R < >]
|
|
|
|
== NAME
|
|
|
|
KANT - Sign GnuPG/OpenPGP/PGP keys and notify the key owner(s)
|
|
|
|
== SYNOPSIS
|
|
|
|
*kant* [_OPTION_] -k/--key _<KEY_IDS|BATCHFILE>_
|
|
|
|
== OPTIONS
|
|
|
|
Keysigning (and keysigning parties) can be a lot of fun, and can offer someone with new keys a way into the WoT (Web-of-Trust).
|
|
Unfortunately, they can be intimidating to those new to the experience.
|
|
This tool offers a simple and easy-to-use interface to sign public keys (normal, local-only, and/or non-exportable),
|
|
set owner trust, specify level of checking done, and push the signatures to a keyserver. It even supports batch operation via a CSV file.
|
|
|
|
*-h*, *--help*::
|
|
Display brief help/usage and exit.
|
|
|
|
*-k* _KEY_IDS|BATCHFILE_, *--key* _KEY_IDS|BATCHFILE_::
|
|
A single or comma-separated list of key IDs (see *KEY ID FORMAT*) to sign, trust, and notify. Can also be an email address.
|
|
If *-b*/*--batch* is specified, this should instead be a path to the batch file (see *BATCHFILE/Format*).
|
|
|
|
*-K* _KEY_ID_, *--sigkey* _KEY_ID_::
|
|
The key to use when signing other keys (see *KEY ID FORMAT*). The default key is automatically determined at runtime
|
|
(it will be displayed in *-h*/*--help* output).
|
|
|
|
*-t* _TRUSTLEVEL_, *--trust* _TRUSTLEVEL_::
|
|
The trust level to automatically apply to all keys (if not specified, KANT will prompt for each key).
|
|
See *BATCHFILE/TRUSTLEVEL* for trust level notations.
|
|
|
|
*-c* _CHECKLEVEL_, *--check* _CHECKLEVEL_::
|
|
The level of checking that was done to confirm the validity of ownership for all keys being signed. If not specified,
|
|
the default is for KANT to prompt for each key we sign. See *BATCHFILE/CHECKLEVEL* for check level notations.
|
|
|
|
*-l* _LOCAL_, *--local* _LOCAL_::
|
|
If specified, make the signature(s) local-only (i.e. non-exportable, don't push to a keyserver).
|
|
See *BATCHFILE/LOCAL* for more information on local signatures.
|
|
|
|
*-n*, *--no-notify*::
|
|
This requires some explanation. If you have MSMTPfootnote:[\http://msmtp.sourceforge.net/] installed and configured for the currently active user,
|
|
then we will send out emails to recipients letting them know we have signed their key. However, if MSMTP is installed and configured
|
|
but this flag is given, then we will NOT attempt to send emails.
|
|
|
|
*-s* _KEYSERVER(S)_, *--keyservers* _KEYSERVER(S)_::
|
|
The comma-separated keyserver(s) to push to. The default keyserver list is automatically generated at runtime.
|
|
|
|
*-b*, *--batch*::
|
|
If specified, operate in batch mode. See *BATCHFILE* for more information.
|
|
|
|
*-D* _GPGDIR_, *--gpgdir* _GPGDIR_::
|
|
The GnuPG configuration directory to use (containing your keys, etc.). The default is automatically generated at runtime,
|
|
but will probably be */home/<yourusername>/.gnupg* or similar.
|
|
|
|
*-T*, *--testkeyservers*::
|
|
If specified, initiate a basic test connection with each set keyserver before anything else. Disabled by default.
|
|
|
|
== KEY ID FORMAT
|
|
Key IDs can be specified in one of two ways. The first (and preferred) way is to use the full 160-bit (40-character, hexadecimal) key ID.
|
|
A little known fact is the fingerprint of a key:
|
|
|
|
*DEAD BEEF DEAD BEEF DEAD BEEF DEAD BEEF DEAD BEEF*
|
|
|
|
is actually the full key ID of the primary key; i.e.:
|
|
|
|
*DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF*
|
|
|
|
The second way to specify a key, as far as KANT is concerned, is to use an email address.
|
|
Do note that if more than one key is found that matches the email address given (and they usually are), you will be prompted to select the specific
|
|
correct key ID anyways so it's usually a better idea to have the owner present their full key ID/fingerprint right from the get-go.
|
|
|
|
== BATCHFILE
|
|
|
|
=== Format
|
|
The batch file is a CSV-formatted (comma-delimited) file containing keys to sign and other information about them. It keeps the following format:
|
|
|
|
*KEY_ID,TRUSTLEVEL,LOCAL,CHECKLEVEL,NOTIFY*
|
|
|
|
For more information on each column, reference the appropriate sub-section below.
|
|
|
|
=== KEY_ID
|
|
See *KEY ID FORMAT*.
|
|
|
|
=== TRUSTLEVEL
|
|
The _TRUSTLEVEL_ is specified by the following levels (you can use either the numeric or string representation):
|
|
|
|
[subs=+quotes]
|
|
....
|
|
*-1 = Never
|
|
0 = Unknown
|
|
1 = Untrusted
|
|
2 = Marginal
|
|
3 = Full
|
|
4 = Ultimate*
|
|
....
|
|
|
|
It is how much trust to assign to a key, and the signatures that key makes on other keys.footnote:[For more information
|
|
on trust levels and the Web of Trust, see: \https://www.gnupg.org/gph/en/manual/x334.html and \https://www.gnupg.org/gph/en/manual/x547.html]
|
|
|
|
=== LOCAL
|
|
Whether or not to push to a keyserver. It can be either the numeric or string representation of the following:
|
|
|
|
[subs=+quotes]
|
|
....
|
|
*0 = False
|
|
1 = True*
|
|
....
|
|
|
|
If *1/True*, KANT will sign the key with a local signature (and the signature will not be pushed to a keyserver or be exportable).footnote:[For
|
|
more information on pushing to keyservers and local signatures, see: \https://www.gnupg.org/gph/en/manual/r899.html#LSIGN and
|
|
\https://lists.gnupg.org/pipermail/gnupg-users/2007-January/030242.html]
|
|
|
|
=== CHECKLEVEL
|
|
The amount of checking that has been done to confirm that the owner of the key is who they say they are and that the key matches their provided information.
|
|
It can be either the numeric or string representation of the following:
|
|
|
|
[subs=+quotes]
|
|
....
|
|
*0 = Unknown
|
|
1 = None
|
|
2 = Casual
|
|
3 = Careful*
|
|
....
|
|
|
|
It is up to you to determine the classification of the amount of checking you have done, but the following is recommended (it is the policy
|
|
the author follows):
|
|
|
|
[subs=+quotes]
|
|
....
|
|
*Unknown:* The key is unknown and has not been reviewed
|
|
|
|
*None:* The key has been signed, but no confirmation of the
|
|
ownership of the key has been performed (typically
|
|
a local signature)
|
|
|
|
*Casual:* The key has been presented and the owner is either
|
|
known to the signer or they have provided some form
|
|
of non-government-issued identification or other
|
|
proof (website, Keybase.io, etc.)
|
|
|
|
*Careful:* The same as *Casual* requirements but they have
|
|
provided a government-issued ID and all information
|
|
matches
|
|
....
|
|
|
|
It's important to check each key you sign carefully. Failure to do so may hurt others' trust in your key.footnote:[GnuPG documentation refers
|
|
to this as "validity"; see \https://www.gnupg.org/gph/en/manual/x334.html]
|
|
|
|
== SEE ALSO
|
|
gpg(1), gpgconf(1)
|
|
|
|
== RESOURCES
|
|
|
|
*Author's web site:* https://square-r00t.net/
|
|
*Author's GPG information:* https://square-r00t.net/gpg-info
|
|
|
|
== COPYING
|
|
|
|
Copyright \(C) 2017 {author}.
|
|
|
|
Free use of this software is granted under the terms of the GPLv3 License. |