jaymzh / pius Goto Github PK

View Code? Open in Web Editor NEW

98.0 8.0 25.0 371 KB

PGP Individual User Signer

License: Other

Python 95.19% Perl 4.77% Shell 0.04%

python signing gpg pgp gnupg gnupg2 keys

pius's Introduction

PIUS: The PGP Individual UID Signer

Introduction

Signing keys after a PGP Keysigning party can take a lot of time. Further, it's very difficult to do right: signing each UID separately and emailing it off is not something tools make easy. I wanted to solve both of those problems and make signing keys the right and most secure way easier and faster. PIUS and its related tools make this process simple, faster, and easier to get right.

Installation

PIUS is packaged in a wide variety of distributions; the table below lists them. If your distribution or OS is listed, using the included package manager is by far the easiest method of installation.

If PIUS isn't available for your OS or distribution, see the INSTALL file for instructions on installing from source.

Usage

The most common way to use PIUS is with a keyring from a keysigning party, like this:

$ pius -A -s <your_keyid> -r <path_to_keyring> -m <your_email>

For every key (-A) on the keyring (-r) this will prompt you to verify the fingerprint and choose a signing level. Then, if you tell it to, it will sign all UIDs on <keyid>, and export one copy of the key for each UID with only that UID signed. Each one will then be encrypt-emailed off to the email address in the UID (-m). Finally, -s tells it which key to sign with.

There are a variety of other options that you may want:

customize the tmpdir and outdir directories (-t and -o respectively)
encrypt the outfiles to <filename>_ENCRYPTED.asc (-e)
import the unsigned keys to the default keyring (-I)
verbose mode (-v)
customize mail hostname and port (-H and -P respectively)
customize the email message (-M)
don't use PGP/Mime in the email (-O, implies -e)
specify SMTPAUTH (-u) and either STARTTLS (-S) or SSL (--ssl) for SMTP

And more! See the '-h' option for more.

Security Implications

As of 3.0, PIUS only works with gpg2 and later, and thus only works with a GPG Agent. Therefore, PIUS can never come into contact with your passphrase or your unencrypted private key.

Sending Emails

When PIUS emails out keys it BCC's you, so you will get a copy of every email sent out. If you would like to see what is going to be sent and not have it sent, you can either do:

$ pius -T

To have PIUS dump the text of the default email body, or you can use the -n option to forcefully override the TO in the envelope of the email. When doing this only the address specified as an argument to -n will get the email.

If you want to see the email sent when not using PGP/Mime then try:

$ pius -T -O

If you want to customize this message you can do so with the -M option. Note that you may use python's named variable interpolation syntax here to have PIUS fill in email (the email in the UID, i.e. the recipient), keyid (of the key that was signed), and signer (the keyid used to sign, i.e. your keyid). For example, you can simply include "%(keyid)s" (without the quotes) to get the keyid.

PIUS's default config assumes there is a local mail delivery agent (MDA) available on port 587. If this is not the case for you, you'll want to specify your mail server's information using -H for smtp host, -P for port, and -u for username. For example, for GMail you might use:

-H smtp.gmail.com -P 587 -u <[email protected]>

I recommend you add these settings to your config file so you don't have to type them every time. See the Config File section below.

Note that if you've setup 2-factor authentication with your mail provider, you will need an app-password for this to work. For GMail, see their docs.

Other Platforms

On non-UNIX platforms such as MacOS and Windows, the default gpg path will likely be incorrect, so you'll want to use -b to specify the path.

Config File

You can specify options you'd like to always use in a ~/.pius/piusrc file. The format of this file is option=value. The "=value" part is obviously not required for options that don't have a value. An example might be:

[email protected]
tmp-dir=/home/you/pius/tmp
use-agent

PIUS will accept =, : or whitespace as a separator, and will handle extra whitespace around any separator.

History

PIUS started life as a group of bad shell scripts I had thrown together through the years after going to various PGP keysigning parties. These scripts automated various bits and pieces of signing various keys and UIDs, but fell short of actually making it a mostly painless process.

Finally I decided to sit down and combine all these shell scripts into a single unified utility to make signing individual UIDs on a multitude of keys as painless as possible. Since this was going to be mostly forking off gpg instances, it seemed like shell was the way to go. However, after dealing with gpg and its "API" for a while, I quickly realized that was not going to be the best course of action. Since I wanted an excuse to write more python, instead of my usual perl, I decided to write this in python.

The original version heavily used the pexpect module for various reasons: (1) I wanted to be able to let the user enter the passphrase directly into gpg for security reasons, (2) Using the --{command,passphrase,status}-fd options turned not to be not that well documented and not work the way the documentation suggested.

This method quickly showed itself to be very fragile. So, I managed to bend gpg to my will without using pexpect, and the only thing left that uses pexpect was the 'interactive' mode, which has been removed now that gpg-agent is both required in gpg 2.x and stable.

License

PIUS is released under the GNU Public License v2 and is Copyright Phil Dibowitz <[email protected]>.

Phil Dibowitz

[email protected]

vim:shiftwidth=2:tabstop=2:expandtab:textwidth=80:softtabstop=2:ai:

pius's People

Contributors

Stargazers

Watchers

pius's Issues

Drop gpg1 support, interactive mode, and cached passphrase mode

Release process not updating NEWS site

I've been testing with pius-2.2.0 because that's what I downloaded from https://www.phildev.net/pius/news.shtml based upon it being the latest release.

Looking at https://github.com/jaymzh/pius/releases I see that there are newer fixes which should be used instead.

Missing steps in release process leading users to believe older releases are current.

Crash with ed25519/gpg 2.0

gpg 2.1 introduced support for ed25519. When using pius with gpg 2.0(.30, mac) and trying to sign such keys pius crashes, rather than reporting that it cannot handle this key type.

Unify the report/mgr code into libpius

[pius-report] Offer the ability to denote you don't expect a signature

In the event you had to - for example - leave a KSP early, you may not expect everyone on the keyring to sign your key.

pius-report already offers the ability to say you don't want to sign someone's key, but not the inverse, and this should be an option.

Fails at creating keyring

[ludo@Oulanl pius]$ ls -l $HOME/sfoksp2017.gpg
ls: cannot access '$HOME/sfoksp2017.gpg': No such file or directory
[ludo@Oulanl pius]$ pius-keyring-mgr build -r /home/ludovic/sfoksp2017.gpg -b /home/ludo/.thunderbird/cs7eroe0.default/Mail/Local\ Folders/kspsfo2017 -m [email protected] -p "Ksp October 2017 SFO/Mozilla"
Found 35 keys in mbox: 34 fingerprints and 1 full keys
NOT Found B3862B05DBAFEC0F
NOT Found 956347F6FBF3A415
NOT Found 51E71B754A09B187
NOT Found B574896780AF07D3
NOT Found 2222222222222222
NOT Found CC8BAD2DF14BA71F
NOT Found EBCA4777BC7A8032
NOT Found A3ADB67A2CDB8B35
NOT Found 709700cdc86c5f3f
NOT Found 5667263747164796
NOT Found d61627b6564796e6
NOT Found 765637f2c6f676f6
NOT Found 76C4315D71A9FECC
NOT Found 4231A03EEC286D08
NOT Found FF77C2E936AEFFF3
NOT Found 262667D75A93A3DE
NOT Found AACCAC21430AF5E7
NOT Found AC8DD49B5C88FF9D
Sending mail to ['[email protected]', '[email protected]']
Traceback (most recent call last):
File "/usr/bin/pius-keyring-mgr", line 632, in
main()
File "/usr/bin/pius-keyring-mgr", line 629, in main
options.mail_text)
File "/usr/bin/pius-keyring-mgr", line 358, in send_emails
self._send_email(override_email, k)
File "/usr/bin/pius-keyring-mgr", line 278, in _send_email
smtp = smtplib.SMTP('localhost', '587')
File "/usr/lib64/python2.7/smtplib.py", line 256, in init
(code, msg) = self.connect(host, port)
File "/usr/lib64/python2.7/smtplib.py", line 316, in connect
self.sock = self._get_socket(host, port, self.timeout)
File "/usr/lib64/python2.7/smtplib.py", line 291, in _get_socket
return socket.create_connection((host, port), timeout)
File "/usr/lib64/python2.7/socket.py", line 575, in create_connection
raise err
socket.error: [Errno 111] Connection refused

Make signature expiration possible

Hi, thanks for your work on pius. It would be great if it was possible to let signatures expire.

entropy issue unable to sign any key (tested with latest git too)

Hi. I'm still on my way to sign my FOSDEM 2015 keys, nearly one year after the event... Support for gpg2 has arrived in pius, but I am far from being able to sign all of these keys. There is currently no tool which could allow me to do that without an issue. pius, caff, gcaff all have an issue at some steps.

Setting debug
NOTE: -O and -m are present, turning on -e
NOTE: -u is present, turning off -S.
DEBUG: Running: /usr/bin/gpg2 --version
Please enter your mail server password: 
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /home/wget/.gnupg/pubring.kbx --fingerprint 24735DD835689C84
pub   rsa4096/24735DD835689C84 2014-06-07 [expires: 2019-06-06]
      Key fingerprint = 47B2 2252 BF69 14DF 964B  B50C 2473 5DD8 3568 9C84
uid                 [ unknown] Carl Olof Erlandsson <[email protected]>
uid                 [ unknown] Carl Olof Erlandsson <[email protected]>
sub   rsa4096/ECE04E5C4291A6C9 2014-06-07 [expires: 2019-06-06]

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key 24735DD835689C84
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /home/wget/.gnupg/pubring.kbx --no-options --with-colons --edit-key 24735DD835689C84
DEBUG: Got a line pub:-:4096:1:24735DD835689C84:1402173083:1559853083::-:::sc
DEBUG: Got a line fpr:::::::::47B22252BF6914DF964BB50C24735DD835689C84:
DEBUG: Got a line sub:-:4096:1:ECE04E5C4291A6C9:1402173083:1559853083:::::e
DEBUG: Got a line fpr:::::::::9B17D39506DA7F91BE5558EAECE04E5C4291A6C9:
DEBUG: Got a line uid:-::::::::Carl Olof Erlandsson <[email protected]>:::S9 S8 S7 S3 S2 S1 H8 H2 H9 H10 H11 Z2 Z3 Z1,mdc,no-ks-modify:1,p:
DEBUG: Got UID Carl Olof Erlandsson <[email protected]> with status -
DEBUG: got email [email protected]
DEBUG: 24735DD835689C84__calle_at_thoughtbot.com__0E7DE52C04D71683 isn't in []
DEBUG: Got a line uid:-::::::::Carl Olof Erlandsson <[email protected]>:::S9 S8 S7 S3 S2 S1 H8 H2 H9 H10 H11 Z2 Z3 Z1,mdc,no-ks-modify:2,:
DEBUG: Got UID Carl Olof Erlandsson <[email protected]> with status -
DEBUG: got email [email protected]
DEBUG: 24735DD835689C84__calle_at_calleerlandsson.com__0E7DE52C04D71683 isn't in ['24735DD835689C84__calle_at_thoughtbot.com__0E7DE52C04D71683']
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There are 2 UIDs on this key to sign
DEBUG: exporting 24735DD835689C84
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /home/wget/.gnupg/pubring.kbx --armor --output /tmp/pius_tmp/24735DD835689C84.asc --export 24735DD835689C84 0E7DE52C04D71683
  UID 1 ([email protected]): DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/24735DD835689C84.asc
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0E7DE52C04D71683 --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 24735DD835689C84
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt

DEBUG: Saving key
signedDEBUG: exporting 24735DD835689C84
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/24735DD835689C84__calle_at_thoughtbot.com__0E7DE52C04D71683.asc --export 24735DD835689C84
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --always-trust --armor -r 24735DD835689C84 --output /tmp/pius_out/24735DD835689C84__calle_at_thoughtbot.com__0E7DE52C04D71683_ENCRYPTED.asc -e /tmp/pius_out/24735DD835689C84__calle_at_thoughtbot.com__0E7DE52C04D71683.asc
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] PROGRESS need_entropy X 8 16
Traceback (most recent call last):
  File "/home/wget/IT/Dev/pius/pius", line 338, in <module>
    main()
  File "/home/wget/IT/Dev/pius/pius", line 322, in main
    if signer.sign_all_uids(key, retval):
  File "/home/wget/IT/Dev/pius/libpius/signer.py", line 767, in sign_all_uids
    self.encrypt_signed_uid(key, uid['file'])
  File "/home/wget/IT/Dev/pius/libpius/signer.py", line 436, in encrypt_signed_uid
    raise EncryptionUnknownError(line)
libpius.exceptions.EncryptionUnknownError: [GNUPG:] PROGRESS need_entropy X 8 16

Any idea about this new issue? This clearly indicates there is an entropy issue. But I have rng-tools enabled and this one is working flawlessly. Using the gpg command manually is working properly though. Why isn't this working with pius?

[pius-report] Add option to re-visit saved keystates

It may be the case you want to update the info you told pius-report about a key, and it should be possible to either update a single key or just run through them all.

pius crashes on GET_LINE keyedit.prompt

Trying to sign my 117 FOSDEM keys, I was experiencing a weird bug with Pius, even with the latest code from the Git master branch. Pius seems to crash when pgp answers by GET_LINE. I could bypass the check at line 629, but I don't know what would be the consequences.

Welcome to PIUS, the PGP Individual UID Signer.

NOTE: See the README about security implications.
Please enter your PGP passphrase:
Please enter your mail server password:
pub rsa4096/25BF484F08AB4849 2013-02-18 [expires: 2016-04-01]
Key fingerprint = 569D E362 A219 F26B 2C0F 3B7A 25BF 484F 08AB 4849
uid [ unknown] Niels Laukens
uid [ unknown] Niels Laukens [email protected]
uid [ unknown] Niels Laukens (FOSDEM) [email protected]
sub rsa4096/4FE0DE7E265FB534 2014-12-13 [expires: 2016-04-01]
sub rsa4096/D810E3BDB2F490BC 2014-12-13 [expires: 2016-04-01]

Have you verified this user/key, and if so, what level do you want to sign at?
0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q](default: n) 3

Signing all UIDs on key 25BF484F08AB4849
There are 3 UIDs on this key to sign
UID 1 (Niels_Laukens): ERROR: GPG didn't sign.
Traceback (most recent call last):
File "./pius", line 395, in
main()
File "./pius", line 379, in main
if signer.sign_all_uids(key, retval):
File "/home/wget/IT/Dev/pius/libpius/signer.py", line 676, in sign_all_uids
res = self.sign_uid(key, uid['index'], level)
File "/home/wget/IT/Dev/pius/libpius/signer.py", line 629, in sign_uid
raise GpgUnknownError(line)
libpius.exceptions.GpgUnknownError: [GNUPG:] GET_LINE keyedit.prompt

With debug mode enabled:

(master)[wget@hermes pius]$ python2.7 ./pius -d --mail-host=xxx.com --mail=[email protected] --signer=0E7DE52C04D71683 $(echo $list) --mail-user=[email protected] --keyring=~/.gnupg/pubring.kbx --override-email=[email protected]
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
NOTE: See the README about security implications.
Please enter your PGP passphrase:
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-armor', '--always-trust', '-r', '0E7DE52C04D71683', '-e', '/tmp/pius_tmp/pius_tmp']
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--output', '/tmp/pius_tmp/pius_tmp2', '-d', '/tmp/pius_tmp/pius_tmp.gpg']
DEBUG: Sending passphrase
DEBUG: wait()ing on gpg
Please enter your mail server password:
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-default-keyring', '--keyring', '/home/wget/.gnupg/pubring.kbx', '--fingerprint', '25BF484F08AB4849']
pub rsa4096/25BF484F08AB4849 2013-02-18 [expires: 2016-04-01]
Key fingerprint = 569D E362 A219 F26B 2C0F 3B7A 25BF 484F 08AB 4849
uid [ unknown] Niels Laukens
uid [ unknown] Niels Laukens [email protected]
uid [ unknown] Niels Laukens (FOSDEM) [email protected]
sub rsa4096/4FE0DE7E265FB534 2014-12-13 [expires: 2016-04-01]
sub rsa4096/D810E3BDB2F490BC 2014-12-13 [expires: 2016-04-01]

Have you verified this user/key, and if so, what level do you want to sign at?
0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q](default: n) 3

Signing all UIDs on key 25BF484F08AB4849
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--no-default-keyring', '--keyring', '/home/wget/.gnupg/pubring.kbx', '--no-options', '--with-colons', '--edit-key', '25BF484F08AB4849']
DEBUG: Got a line [GNUPG:] KEYEXPIRED 1396353588
DEBUG: Got a line [GNUPG:] KEYEXPIRED 1427882391
DEBUG: Got a line pub:-:4096:1:25BF484F08AB4849:1361218378:1459526401::-:::sc
DEBUG: Got a line fpr:::::::::569DE362A219F26B2C0F3B7A25BF484F08AB4849:
DEBUG: Got a line sub:e:4096:1:50D362AFBC565821:1361223395:1396353582:::::e
DEBUG: Got a line fpr:::::::::7354A5A725A96B65E2DD660750D362AFBC565821:
DEBUG: Got a line sub:e:4096:1:DDF18CE10D7AC10C:1361223585:1396353588:::::s
DEBUG: Got a line fpr:::::::::A94E9B41E8943BDCC48694D9DDF18CE10D7AC10C:
DEBUG: Got a line sub:e:4096:1:A7829D04C69C578D:1387451398:1427882391:::::s
DEBUG: Got a line fpr:::::::::2EFFEDBB5C3466A41B6D1D2CA7829D04C69C578D:
DEBUG: Got a line sub:e:4096:1:13F552BB4E87B2C5:1387451764:1427882389:::::e
DEBUG: Got a line fpr:::::::::AB2BA0D826E40484128329DA13F552BB4E87B2C5:
DEBUG: Got a line sub:[GNUPG:] KEYEXPIRED 1396353588
DEBUG: Got a line [GNUPG:] KEYEXPIRED 1427882391
DEBUG: Got a line -:4096:1:4FE0DE7E265FB534:1418477951:1459526328:::::s
DEBUG: Got a line fpr:::::::::217A91942C1A3713485E5A7F4FE0DE7E265FB534:
DEBUG: Got a line sub:-:4096:1:D810E3BDB2F490BC:1418478602:1459526387:::::e
DEBUG: Got a line fpr:::::::::4D75342A53830731CCEF5390D810E3BDB2F490BC:
DEBUG: Got a line uid:-::::::::Niels Laukens:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p:
DEBUG: Got UID Niels Laukens with status -
DEBUG: no email
DEBUG: 25BF484F08AB4849__Niels_Laukens__0E7DE52C04D71683 isn't in []
DEBUG: Got a line uid:-::::::::Niels Laukens [email protected]:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:2,:
DEBUG: Got UID Niels Laukens [email protected] with status -
DEBUG: got email [email protected]
DEBUG: 25BF484F08AB4849__niels_at_dest-unreach.be__0E7DE52C04D71683 isn't in ['25BF484F08AB4849__Niels_Laukens__0E7DE52C04D71683']
DEBUG: Got a line uid:-::::::::Niels Laukens (FOSDEM) [email protected]:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:3,:
DEBUG: Got UID Niels Laukens (FOSDEM) [email protected] with status -
DEBUG: got email [email protected]
DEBUG: 25BF484F08AB4849__niels_at_fosdem.org__0E7DE52C04D71683 isn't in ['25BF484F08AB4849__Niels_Laukens__0E7DE52C04D71683', '25BF484F08AB4849__niels_at_dest-unreach.be__0E7DE52C04D71683']
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
There are 3 UIDs on this key to sign
DEBUG: exporting 25BF484F08AB4849
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-default-keyring', '--keyring', '/home/wget/.gnupg/pubring.kbx', '--armor', '--output', '/tmp/pius_tmp/25BF484F08AB4849.asc', '--export', '25BF484F08AB4849', '0E7DE52C04D71683']
UID 1 (Niels_Laukens): DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-default-keyring', '--keyring', '/tmp/pius_tmp/pius_keyring.gpg', '--import-options', 'import-minimal', '--import', '/tmp/pius_tmp/25BF484F08AB4849.asc']
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--no-default-keyring', '--keyring', '/tmp/pius_tmp/pius_keyring.gpg', '-u', '0E7DE52C04D71683', '--default-cert-level', '3', '--no-ask-cert-level', '--edit-key', '25BF484F08AB4849']
DEBUG: Sending passphrase
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] KEYEXPIRED 1396353588
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] KEYEXPIRED 1427882391
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt

ERROR: GPG didn't sign.
Traceback (most recent call last):
File "./pius", line 395, in
main()
File "./pius", line 379, in main
if signer.sign_all_uids(key, retval):
File "/home/wget/IT/Dev/pius/libpius/signer.py", line 676, in sign_all_uids
res = self.sign_uid(key, uid['index'], level)
File "/home/wget/IT/Dev/pius/libpius/signer.py", line 629, in sign_uid
raise GpgUnknownError(line)
libpius.exceptions.GpgUnknownError: [GNUPG:] GET_LINE keyedit.prompt

PIUS leaves some files leftover in the 'out' directory

Hang when trying to apply signature policy

Trying to sign many keys after a key signing party.
Pius version is 2.2.2. This has been observed in both GnuPG 1.4.18 and GnuPG 2.0.26 (running in TAILS).

Add a policy URL to the options at invocation. Call looks like:
./pius -s 8602A07 -A -r keyring.gpg -U https:://ksp.dephraser.net/ksp_20160426.html -m [email protected] -N -d

I have attached the main body of the output. It appears GPG doesn't respond as expected and pius gets caught in an infinite while waiting for gpg to respond.

Still trying to work this one out myself but putting this here if people with a bit more experience automating GPG stuff might know something I don't.

Any questions let me know.

Cheers

out.txt

Default mail server is 'None' instead of 'localhost'

Pius 2.2.4 on Debian unstable.

The man page says:

       -H HOSTNAME, --mail-host=HOSTNAME
              Hostname of SMTP server. [default: localhost]

Without using -H I get

...
There was a problem talking to the mail server (None): please run connect() first
``

Adding `-H localhost` fixes it.

Unable to sign keys with GPG in pius

Summary

pius is unable to sign keys in a keyring due to an unknown error with GnuPG.

Description

Whenever I try signing keys in a keyring, pius is unable to sign the keys as expected. This results in me running through the entire keyring, and then at the end, it abruptly ends as there are no exported signatures at the end of the process.

The full debug stacktrace is below.

Operating system: Fedora 25
Pius version: 2.2.2-1.fc25
GPG version: 2.1.13
Keyid used to sign with: 39E45FB6014131E4

Stacktrace

$ pius -A -r ~/.gnupg/fosdem-test.gpg -s 014131E4 -m [email protected] -H mail.privateemail.com -P 465 -d -v
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
DEBUG: Running: /usr/bin/gpg2 --version
DEBUG: extracting all keyids from keyring
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb --no-default-keyring --keyring /home/jflory/.gnupg/fosdem-test.gpg --no-options --with-colons --keyid-format long --fingerprint --fixed-list-mode
DEBUG: Got id 79E924EBEDA7F3FD for Alexander John Fisher <[email protected]>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /home/jflory/.gnupg/fosdem-test.gpg --fingerprint 79E924EBEDA7F3FD
pub   rsa4096/79E924EBEDA7F3FD 2016-07-06 [SC] [expires: 2018-01-11]
      Key fingerprint = EA33 8528 809E 9749 E2C3  0643 79E9 24EB EDA7 F3FD
uid                 [ unknown] Alexander John Fisher <[email protected]>
sub   rsa2048/45C40945D8E04848 2017-01-11 [S] [expires: 2017-07-10]
sub   rsa2048/F36168154EF6BD04 2017-01-11 [E] [expires: 2017-07-10]
sub   rsa2048/44F5719AD9243C47 2017-01-11 [A] [expires: 2017-07-10]

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key 79E924EBEDA7F3FD
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /home/jflory/.gnupg/fosdem-test.gpg --no-options --with-colons --edit-key 79E924EBEDA7F3FD
DEBUG: Got a line [GNUPG:] KEYEXPIRED 1483367767
DEBUG: Got a line [GNUPG:] KEY_CONSIDERED EA338528809E9749E2C3064379E924EBEDA7F3FD 0
DEBUG: Got a line pub:-:4096:1:79E924EBEDA7F3FD:1467815303:1515692883::-:::sc
DEBUG: Got a line fpr:::::::::EA338528809E9749E2C3064379E924EBEDA7F3FD:
DEBUG: Got a line sub:e:2048:1:44004E31943B1A84:1467815767:1483367767:::::s
DEBUG: Got a line fpr:::::::::83D76180A91D9E751EC5B4DE44004E31943B1A84:
DEBUG: Got a line sub:e:2048:1:9FD90BEBB628DAF9:1467815951:1483367951:::::e
DEBUG: Got a line fpr:::::::::1FA562F8712345D30E7F96B19FD90BEBB628DAF9:
DEBUG: Got a line sub:e:2048:1:72F872415E98DE9E:1467816037:1483368037:::::a
DEBUG: Got a line fpr:::::::::25D1513DCFF297B613DF298572F872415E98DE9E:
DEBUG: Got a line sub:[GNUPG:] KEYEXPIRED 1483367767
DEBUG: Got a line [GNUPG:] KEY_CONSIDERED EA338528809E9749E2C3064379E924EBEDA7F3FD 0
DEBUG: Got a line -:2048:1:45C40945D8E04848:1484157002:1499709002:::::s
DEBUG: Got a line fpr:::::::::948019243DFF1F6D1E0CD58C45C40945D8E04848:
DEBUG: Got a line sub:-:2048:1:F36168154EF6BD04:1484157064:1499709064:::::e
DEBUG: Got a line fpr:::::::::64A27DCBFFC57D5B05B11C1CF36168154EF6BD04:
DEBUG: Got a line sub:-:2048:1:44F5719AD9243C47:1484157092:1499709092:::::a
DEBUG: Got a line fpr:::::::::4FCF9A2CDE623D9E5250B10744F5719AD9243C47:
DEBUG: Got a line uid:-::::::::Alexander John Fisher <[email protected]>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p::
DEBUG: Got UID Alexander John Fisher <[email protected]> with status -
DEBUG: got email [email protected]
DEBUG: 79E924EBEDA7F3FD__alex_at_linfratech.co.uk__014131E4 isn't in []
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There is 1 UID on this key to sign
DEBUG: exporting 79E924EBEDA7F3FD
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /home/jflory/.gnupg/fosdem-test.gpg --armor --output /tmp/pius_tmp/79E924EBEDA7F3FD.asc --export 79E924EBEDA7F3FD 014131E4
  UID 1 ([email protected]): DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/79E924EBEDA7F3FD.asc
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 014131E4 --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 79E924EBEDA7F3FD
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] KEYEXPIRED 1483367767
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] KEY_CONSIDERED EA338528809E9749E2C3064379E924EBEDA7F3FD 0
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] INV_SGNR 9 014131E4

  ERROR: GnuPG reported an unknown error
  Signed UNencrypted keys:

New release?

Looks like the git master runs fine in Python 3 while the latest tag doesn't. Is a new release planned soon? Thanks!

Asking for confirmation for each user ID

The attached patch allows users to confirm each user ID explicitly before they are signed and emailed.

confirm-each-uid-patch.txt

This is useful when a key has several user ID, but the user does not have any information about some of the user IDs.

GnuPG2 support request

Using PIUS with > gnupg2 does not work, would be nice to have. ^_^

pius fails when trying to confirm signing

[ Migrated from: https://sourceforge.net/p/pgpius/bugs/18/ ]

$ gpg --version
gpg (GnuPG) 2.1.2
libgcrypt 1.6.3

$ pius --version
pius 2.1.0

$ pius -s 1A3AB57F 4592C73F -d
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
[...]
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt

ERROR: GPG didn't sign.
Traceback (most recent call last):
File "/usr/bin/pius", line 394, in
main()
File "/usr/bin/pius", line 378, in main
if signer.sign_all_uids(key, retval):
File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 675, in sign_all_uids
res = self.sign_uid(key, uid['index'], level)
File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 628, in sign_uid
raise GpgUnknownError(line)
libpius.exceptions.GpgUnknownError: [GNUPG:] GET_LINE keyedit.prompt

full debug output here: http://ix.io/gRx

Crash when using card

My key is stored on a card. When I try to sign, I get:

13:49:16 [mwalster@mwmbp:~] % pius -d 040babe2
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
NOTE: -u is present, turning off -S.
DEBUG: Running: /usr/local/bin/gpg2 --version
WARNING: You passed in short keyids. Short keyids are forgable and should be avoided.
Type "I understand" to continue: I understand
Please enter your mail server password:
Sorry, cannot authenticate to smtp.gmail.com as [email protected] with that passwword, try again.
Please enter your mail server password:
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --fingerprint 040babe2
pub   4096R/B20CC297040BABE2 2015-06-01 [expires: 2020-05-30]


      Key fingerprint = 8BE8 7F4C 19EF AC17 CB43  4331 B20C C297 040B ABE2
uid               [ultimate] Matthew Walster <[email protected]>

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --no-options --with-colons --edit-key 040babe2
DEBUG: Got a line pub:u:4096:1:B20CC297040BABE2:1433175067:1590855067::-:::esca
DEBUG: Got a line fpr:::::::::8BE87F4C19EFAC17CB434331B20CC297040BABE2:
DEBUG: Got a line uid:u::::::::Matthew Walster <[email protected]>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p:
DEBUG: Got UID Matthew Walster <[email protected]> with status u
DEBUG: got email [email protected]
DEBUG: 040babe2__mwalster_at_fastly.com__0x8783A4A6184156BE isn't in []
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There is 1 UID on this key to sign
DEBUG: exporting 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /Users/mwalster/.gnupg/pubring.gpg --armor --output /tmp/pius_tmp/040babe2.asc --export 040babe2 0x8783A4A6184156BE
  UID 1 ([email protected]): DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/040babe2.asc
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u 0x8783A4A6184156BE --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key 040babe2
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] USERID_HINT 8783A4A6184156BE Matthew Walster <[email protected]>

DEBUG: Got [GNUPG:] NEED_PASSPHRASE 8783A4A6184156BE 8783A4A6184156BE 1 0

DEBUG: Got [GNUPG:] GOOD_PASSPHRASE

DEBUG: Saving key
signedDEBUG: exporting 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/040babe2__mwalster_at_fastly.com__0x8783A4A6184156BE.asc --export 040babe2
DEBUG: Running: /usr/local/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --use-agent --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --no-options --always-trust -u 0x8783A4A6184156BE -aes -r 040babe2 -r 0x8783A4A6184156BE --output /tmp/pius_tmp/pius_tmp.asc /tmp/pius_tmp/pius_tmp
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_SIGNING H8
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] CARDCTRL 3 D2760001240102000006038107570000
Traceback (most recent call last):
  File "/usr/local/Cellar/pius/HEAD/libexec/bin/pius", line 341, in <module>
    main()
  File "/usr/local/Cellar/pius/HEAD/libexec/bin/pius", line 325, in main
    if signer.sign_all_uids(key, retval):
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/signer.py", line 790, in sign_all_uids
    self.mailer.send_sig_mail(self.signer, key, uid, self)
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/mailer.py", line 225, in send_sig_mail
    signer, uid_data['email'], keyid, uid_data['file'], psign
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/mailer.py", line 175, in _generate_pgp_mime_email
    psigner.encrypt_and_sign_file(tmpfile, signed_tmpfile, keyid)
  File "/usr/local/Cellar/pius/HEAD/libexec/lib/python2.7/site-packages/libpius/signer.py", line 887, in encrypt_and_sign_file
    raise EncryptionUnknownError(line)
libpius.exceptions.EncryptionUnknownError: [GNUPG:] CARDCTRL 3 D2760001240102000006038107570000

I'm using the HEAD of pius, as installed by "brew install pius --HEAD" which shows:

13:52:39 [mwalster@mwmbp:~] % pius --version
pius 2.2.2

Sending with gmail: 5.7.0 Must issue a STARTTLS command first. gsmtp

Summary

Pius fails to authenticate through gmail's smtp server

Description

GPG password prompt appears, and there doesn't appear to be any error with signing the keys, but there is never a prompt for a gmail password, no emails are sent, and an error message is displayed:

There was a problem talking to the mail server (smtp.gmail.com): (530, '5.7.0 Must issue a STARTTLS command first. z80sm4271335ywz.49 - gsmtp', '<my email address>')

Operating system: Gentoo
Pius version: 2.2.4
GPG version: 2.2.5

Stacktrace

Command: pius -d -A -H smtp.gmail.com -P 587 -m <my email address@gmail> -s <my signing key ID> -r /path/to/the/pubring.kbx

Output:

pius -d -A -H smtp.gmail.com -P 587 -m <my email address> -s <my signing key ID> -r /path/to/the/pubring.kbx

Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
DEBUG: Running: /usr/bin/gpg2 --version
DEBUG: extracting all keyids from keyring
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb --no-default-keyring --keyring /the/path/to/the/pubring.kbx --no-options --with-colons --keyid-format long --fingerprint --fixed-list-mode
DEBUG: Got id <all the ids> for <all the names> <[all the emails]>

DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /the/path/to/the/pubring.kbx --fingerprint <key id>
<[the key fingerprint and info]>

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key <key id>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /the/path/to/the/pubring.kbx --no-options --with-colons --edit-key <key id>
DEBUG: Got a line [GNUPG:] <a few lines and output removed for now because it didn't seem relevant and had some personally identifying details>

DEBUG: Got UID <a few more lines and output removed for now because it didn't seem relevant and had some personally identifying details>

DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There are 2 UIDs on this key to sign
DEBUG: exporting <my signing key ID>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /the/path/to/the/pubring.kbx --armor --output /tmp/pius_tmp/<my signing key ID>.asc --export <my signing key ID>
DEBUG: exporting <their key ID>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /the/path/to/the/pubring.kbx --armor --output /tmp/pius_tmp/<their key ID>.asc --export <their key ID>
  UID 1 (<their email>): DEBUG: importing <my signing key ID>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal,keep-ownertrust --import /tmp/pius_tmp/<my signing key ID>.asc
DEBUG: importing <their key ID>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --import-options import-minimal --import /tmp/pius_tmp/<their key ID>.asc
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg -u <my signing key ID> --use-agent --default-cert-level 3 --no-ask-cert-level --edit-key <their key ID>
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] KEY_CONSIDERED <their key ID> 0
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] KEY_CONSIDERED <my signing key ID> 0

DEBUG: Got KEY_CONSIDERED
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] PINENTRY_LAUNCHED 31635 gnome3 1.0.0 ? ? ?

DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt

DEBUG: Saving key
signedDEBUG: exporting <their key ID>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --armor --output /tmp/pius_out/<their key ID>__<their email>__<my signing key ID>.asc --export <their key ID>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --command-fd 0 --status-fd 1 --use-agent --no-default-keyring --keyring /tmp/pius_tmp/pius_keyring.gpg --no-options --always-trust -u <my signing key ID> -aes -r <their key ID> -r <my signing key ID> --output /tmp/pius_tmp/pius_tmp.asc /tmp/pius_tmp/pius_tmp
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] KEY_CONSIDERED <my signing key ID> 2
DEBUG: Got KEY_CONSIDERED
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] KEY_CONSIDERED <my signing key ID> 0
DEBUG: Got KEY_CONSIDERED
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] KEY_CONSIDERED <their key ID> 0
DEBUG: Got KEY_CONSIDERED
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_SIGNING H8
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] SIG_CREATED S 1 8 00 1521328219 <my signing key ID>
DEBUG: Got skippable stuff
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] BEGIN_ENCRYPTION 2 9
DEBUG: Got GPG_ENC_BEG
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] END_ENCRYPTION
DEBUG: Got GPG_ENC_END
DEBUG: send_mail called with to (<their email address>), subject (Your signed PGP key)

There was a problem talking to the mail server (smtp.gmail.com): (530, '5.7.0 Must issue a STARTTLS command first. z80sm4271335ywz.49 - gsmtp', '<my email address>')

<more of the same with the other UID and then quitting>

Dying at user request

Escape HTML tags in Readme.md

The Readme.md file does not render properly on GitHub. The second paragraph under Usage looks like it contains things inside <angle brackets> which GitHub assumes are HTML tags and passes through so the browser doesn't display them at all.

Crash when using -e mode

As reported by Richard Otero:

Traceback (most recent call last):
File "/usr/local/bin/pius", line 341, in
main()
File "/usr/local/bin/pius", line 325, in main
if signer.sign_all_uids(key, retval):
File "/usr/local/lib/python2.7/dist-packages/libpius/signer.py", line 808, in sign_all_uids
self.pint_filenames(uids)
File "/usr/local/lib/python2.7/dist-packages/libpius/signer.py", line 710, in print_filenames
print ' %(id)s: %(enc_file)s' % uids
TypeError: list indices must be integers, not str

You might want to fix the typo in your Github project description

It says 'Indivudual' :-)

Unable to authenticate with SMTP server

Summary

pius is unable to authenticate with an SMTP server using SSL to send signed keys to the users on a keyring.

Description

Whenever I try logging into my SMTP server to send signed keys, pius is never able to authenticate with my credentials. I last used pius around Sept. 2015 with the PrivateEmail server shown below and it worked then. However, I have tried using two different SMTP servers so I'm not sure how to proceed.

I'm not sure what more would be helpful to this issue, but I can provide more information on request.

Stacktrace

PrivateEmail

$ pius -A -r ~/.gnupg/myring.gpg -s <keyid> -m [email protected] -H mail.privateemail.com -P 465 -u [email protected] -v
Welcome to PIUS, the PGP Individual UID Signer.

NOTE: -u is present, turning off -S.
Please enter your mail server password: 
Traceback (most recent call last):
  File "/usr/bin/pius", line 341, in <module>
    main()
  File "/usr/bin/pius", line 308, in main
    if not mailer.verify_pass():
  File "/usr/lib/python2.7/site-packages/libpius/mailer.py", line 74, in verify_pass
    smtp = smtplib.SMTP(self.host, self.port)
  File "/usr/lib64/python2.7/smtplib.py", line 256, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib64/python2.7/smtplib.py", line 317, in connect
    (code, msg) = self.getreply()
  File "/usr/lib64/python2.7/smtplib.py", line 365, in getreply
    + str(e))
smtplib.SMTPServerDisconnected: Connection unexpectedly closed: [Errno 104] Connection reset by peer

SendGrid

$ pius -A -r ~/.gnupg/myring.gpg -s <keyid> -m [email protected] -H smtp.sendgrid.net -P 465 -u myusername -v
Welcome to PIUS, the PGP Individual UID Signer.

NOTE: -u is present, turning off -S.
Please enter your mail server password: 
Traceback (most recent call last):
  File "/usr/bin/pius", line 341, in <module>
    main()
  File "/usr/bin/pius", line 308, in main
    if not mailer.verify_pass():
  File "/usr/lib/python2.7/site-packages/libpius/mailer.py", line 74, in verify_pass
    smtp = smtplib.SMTP(self.host, self.port)
  File "/usr/lib64/python2.7/smtplib.py", line 256, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib64/python2.7/smtplib.py", line 317, in connect
    (code, msg) = self.getreply()
  File "/usr/lib64/python2.7/smtplib.py", line 368, in getreply
    raise SMTPServerDisconnected("Connection unexpectedly closed")
smtplib.SMTPServerDisconnected: Connection unexpectedly closed

Pius crashes when signing key containing not only email addresses

Since my rolling release Arch Linux distribution does not use GnuPG branch 1.x for ages, I was using the branch https://github.com/miquelruiz/pius/tree/gpg-2.1.4 from @miquelruiz. I was trying to sign some keys which do not only contain email addresses, like for example embedded picture, etc. When I try to do so, pius crashes with these kind of keys.

python2 ./pius -dv --mail-host=smtp.gmail.com --no-pgp-mime [email protected] --signer=0E7DE52C04D71683 -u [email protected] -r ~/.gnupg/pubring.kbx -n [email protected] 15F51B3090884649          Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
NOTE: -O and -m are present, turning on -e
NOTE: See the README about security implications.
Please enter your PGP passphrase: 
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-armor', '--always-trust', '-r', '0E7DE52C04D71683', '-e', '/tmp/pius_tmp/pius_tmp']
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--output', '/tmp/pius_tmp/pius_tmp2', '-d', '/tmp/pius_tmp/pius_tmp.gpg']
DEBUG: Sending passphrase
DEBUG: wait()ing on gpg
Please enter your mail server password: 
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-default-keyring', '--keyring', '/somePath/.gnupg/pubring.kbx', '--fingerprint', '15F51B3090884649']
pub   rsa4096/15F51B3090884649 2014-11-13
      Key fingerprint = B36E AA8C 4EAF DB59 FAA0  1771 15F5 1B30 9088 4649
uid                 [  undef ] Peter A. Now�e
uid                 [ unknown] Peter Nowee <[email protected]>
uid                 [ unknown] Peter Nowee <[email protected]>
uid                 [ unknown] Peter Nowee <[email protected]>
uid                 [  undef ] [jpeg image of size 8773]
sub   rsa4096/DF9C27A3AEC052B9 2014-11-13 [expires: 2016-11-12]
sub   rsa4096/DB4E8AD69A0414CD 2014-11-13 [expires: 2016-11-12]

Have you verified this user/key, and if so, what level do you want to sign at?
  0-3, Show again, Next, Help, or Quit? [0|1|2|3|s|n|h|q] (default: n) 3

Signing all UIDs on key 15F51B3090884649
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--no-default-keyring', '--keyring', '/somePath/.gnupg/pubring.kbx', '--no-options', '--with-colons', '--edit-key', '15F51B3090884649']
DEBUG: Got a line pub:q:4096:1:15F51B3090884649:1415885910:0::-:::sc
DEBUG: Got a line fpr:::::::::B36EAA8C4EAFDB59FAA0177115F51B3090884649:
DEBUG: Got a line sub:q:4096:1:DF9C27A3AEC052B9:1415885910:1478960670:::::e
DEBUG: Got a line fpr:::::::::F54A342190918182401193B8DF9C27A3AEC052B9:
DEBUG: Got a line sub:q:4096:1:DB4E8AD69A0414CD:1415886921:1478958921:::::s
DEBUG: Got a line fpr:::::::::3F8F5CC515992FAAD210C5A6DB4E8AD69A0414CD:
DEBUG: Got a line uid:q::::::::Peter A. Nowée:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:1,p:
DEBUG: Got UID Peter A. Nowée with status q
DEBUG: no email
DEBUG: 15F51B3090884649__Peter_A._Nowée__0E7DE52C04D71683 isn't in []
DEBUG: Got a line uid:-::::::::Peter Nowee <[email protected]>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:2,:
DEBUG: Got UID Peter Nowee <[email protected]> with status -
DEBUG: got email [email protected]
DEBUG: 15F51B3090884649__peter.nowee_at_gmail.com__0E7DE52C04D71683 isn't in ['15F51B3090884649__Peter_A._Now\xc3\xa9e__0E7DE52C04D71683']
DEBUG: Got a line uid:-::::::::Peter Nowee <[email protected]>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:3,:
DEBUG: Got UID Peter Nowee <[email protected]> with status -
DEBUG: got email [email protected]
DEBUG: 15F51B3090884649__XXX_at_YYY.com__0E7DE52C04D71683 isn't in ['15F51B3090884649__Peter_A._Now\xc3\xa9e__0E7DE52C04D71683', '15F51B3090884649__XXX_at_YYY.com__0E7DE52C04D71683']
DEBUG: Got a line uid:-::::::::Peter Nowee <[email protected]>:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:4,:
DEBUG: Got UID Peter Nowee <[email protected]> with status -
DEBUG: got email [email protected]
DEBUG: 15F51B3090884649__peter.nowee_at_aiba.nl__0E7DE52C04D71683 isn't in ['15F51B3090884649__Peter_A._Now\xc3\xa9e__0E7DE52C04D71683', '15F51B3090884649__XXX_at_YYY.com__0E7DE52C04D71683', '15F51B3090884649__XXX_at_YYY.com__0E7DE52C04D71683']
DEBUG: Got a line uat:q::::::::1 8795:::S9 S8 S7 S3 H10 H9 H8 H11 Z2 Z3 Z1 Z0,mdc,no-ks-modify:5,:
DEBUG: got to command prompt
DEBUG: quitting
DEBUG: waiting
  There are 4 UIDs on this key to sign
DEBUG: exporting 15F51B3090884649
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-default-keyring', '--keyring', '/somePath/.gnupg/pubring.kbx', '--armor', '--output', '/tmp/pius_tmp/15F51B3090884649.asc', '--export', '15F51B3090884649', '0E7DE52C04D71683']
  UID 1 (Peter_A._Nowée): DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--no-default-keyring', '--keyring', '/tmp/pius_tmp/pius_keyring.gpg', '--import-options', 'import-minimal', '--import', '/tmp/pius_tmp/15F51B3090884649.asc']
DEBUG: ['/usr/bin/gpg', '--keyid-format', 'long', '-q', '--no-tty', '--no-auto-check-trustdb', '--batch', '--command-fd', '0', '--passphrase-fd', '0', '--status-fd', '1', '--no-default-keyring', '--keyring', '/tmp/pius_tmp/pius_keyring.gpg', '-u', '0E7DE52C04D71683', '--default-cert-level', '3', '--no-ask-cert-level', '--edit-key', '15F51B3090884649']
DEBUG: Sending passphrase
DEBUG: Waiting for prompt
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Selecting UID 1
DEBUG: Waiting for ack
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Running sign subcommand
DEBUG: Waiting for line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: got line [GNUPG:] GET_LINE keyedit.prompt
DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] GET_BOOL sign_uid.okay

DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] GET_LINE keyedit.prompt

  ERROR: GPG didn't sign.
Traceback (most recent call last):
  File "./pius", line 395, in <module>
    main()
  File "./pius", line 379, in main
    if signer.sign_all_uids(key, retval):
  File "/home/wget/Downloads/pius-fb/libpius/signer.py", line 676, in sign_all_uids
    res = self.sign_uid(key, uid['index'], level)
  File "/home/wget/Downloads/pius-fb/libpius/signer.py", line 629, in sign_uid
    raise GpgUnknownError(line)
libpius.exceptions.GpgUnknownError: [GNUPG:] GET_LINE keyedit.prompt

The normal behavior would be to sign the embedded part and send that part to all email addresses present in the key. I don't know what your script actually does. After reading the code (even if I'm far from being fluent in Python), I don't see a location where all non email addresses items are signed, encrypted and sent to all mail items from the key.

This is happening when I try to sign the key from Peter A Nowée, 15F51B3090884649 which contain that kind of picture.

Help would be greatly appreciated.

Error with new enough GnuPG when reading "ENCRYPTION_COMPLIANCE_MODE"

GnuPG started printing information about encryption compliance in commit f31dc2540ac and since then pius fails with the following error when signing a key:

File "/usr/bin/pius", line 342, in <module>
  main()
File "/usr/bin/pius", line 326, in main
  if signer.sign_all_uids(key, retval):
File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 788, in sign_all_uids
  self.encrypt_signed_uid(key, uid['file'])
File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 444, in encrypt_signed_uid
  raise EncryptionUnknownError(line)
libpius.exceptions.EncryptionUnknownError: [GNUPG:] ENCRYPTION_COMPLIANCE_MODE 23

pius gets public keyring safety-check wrong

Using GnuPG 2.1, the public keys are in ~/.gnupg/pubring.kbx but on start-up pius checks for the existence of ~/.gnupg/pubring.gpg instead.

WARNING: Keyid ... not valid, skipping.

pius doesn't work for me when run on a keyring from a signing party:

$ pius -dv -A -s DAC1D4FA -r ./complete2.pgp -n $test_address -m $my_address -I
Welcome to PIUS, the PGP Individual UID Signer.

Setting debug
DEBUG: Running: /usr/bin/gpg2 --version
DEBUG: extracting all keyids from keyring
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb --no-default-keyring --keyring ./complete2.pgp --no-options --with-colons --keyid-format long --fingerprint --fixed-list-mode
DEBUG: Got id D31B5563DAC1D4FA for Adam Spiers <[email protected]>
DEBUG: Got id <censored> for <censored>
DEBUG: Got id <censored> for <censored>
DEBUG: Got id <censored> for <censored>
DEBUG: Got id <censored> for <censored>
DEBUG: Got id <censored> for <censored>
DEBUG: Got id <censored> for <censored>
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint <censored>
WARNING: Keyid <censored> not valid, skipping.
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint <censored>
WARNING: Keyid <censored> not valid, skipping.
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint <censored>
WARNING: Keyid <censored> not valid, skipping.
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint <censored>
WARNING: Keyid <censored> not valid, skipping.
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint <censored>
WARNING: Keyid <censored> not valid, skipping.
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint <censored>
WARNING: Keyid <censored> not valid, skipping.
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint <censored>
WARNING: Keyid <censored> not valid, skipping.
Importing keyring...
DEBUG: Running: /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --import ./complete2.pgp

If I run one of the commands manually:

$ /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint D31B5563DAC1D4FA
gpg: Oops: keyid_from_fingerprint: no pubkey
gpg: please do a --check-trustdb
pub   4096R/D31B5563DAC1D4FA 2013-02-08
      Key fingerprint = 942B 9075 ACCA 04E9 037C  73FE D31B 5563 DAC1 D4FA
uid               [ultimate] Adam Spiers <[email protected]>
uid               [ultimate] Adam Spiers <[email protected]>
uid               [ultimate] Adam Spiers <[email protected]>
uid               [ultimate] [jpeg image of size 5204]
sub   4096R/823FC712E33BAB2F 2013-02-08

so then I tried

$ gpg2 --check-trustdb
gpg: public key <censored> is 78748 seconds newer than the signature
gpg: public key <censored> is 276 seconds newer than the signature
gpg: public key <censored> is 10288 seconds newer than the signature
gpg: public key <censored> is 58138 seconds newer than the signature
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: public key <censored> is 78748 seconds newer than the signature
gpg: public key <censored> is 276 seconds newer than the signature
gpg: depth: 0  valid:   6  signed:  14  trust: 0-, 0q, 0n, 0m, 0f, 6u
gpg: public key <censored> is 58138 seconds newer than the signature
gpg: depth: 1  valid:  14  signed:   7  trust: 13-, 0q, 0n, 0m, 1f, 0u

But it didn't help:

$ /usr/bin/gpg2 --keyid-format long --no-auto-check-trustdb -q --no-tty --batch --no-default-keyring --keyring ./complete2.pgp --fingerprint D31B5563DAC1D4FA
gpg: Oops: keyid_from_fingerprint: no pubkey
pub   4096R/D31B5563DAC1D4FA 2013-02-08
      Key fingerprint = 942B 9075 ACCA 04E9 037C  73FE D31B 5563 DAC1 D4FA
uid               [ultimate] Adam Spiers <[email protected]>
uid               [ultimate] Adam Spiers <[email protected]>
uid               [ultimate] Adam Spiers <[email protected]>
uid               [ultimate] [jpeg image of size 5204]
sub   4096R/823FC712E33BAB2F 2013-02-08

$ echo $?
2

Am I doing something wrong?

New releases not mentioned in news

Pius releases 2.2.1 and 2.2.2 are shown on GitHub, but are not mentioned in the news.

Add the ability to sign with multiple keys

[ Migrated from: https://sourceforge.net/p/pgpius/feature-requests/3/ ]

Support the ability to sign with multiple keys.

Open question: would we also need the ability to send each signature from a different email address? Probably...

Key import may cause signing key to be removed from trustdb

When pius imports the keys into the temporary pius_pubring.gpg using gpg2 (gpg (GnuPG) 2.1.11) the signing key may end up being removed from the default ownertrust database ~/.gnupg/trustdb.gpg.

It's just a minor annoyance and can be worked around quite easily if you have a backup of the trustdb.

A better fix would perhaps be to add the keep-ownertrust import-option as in the below very minor mod to libpius/signer.py?

diff --git a/pius/pius-2.2.2/libpius/signer.py b/pius/pius-2.2.2/libpius/signer.py
index 977d241..bd08573 100644
--- a/pius/pius-2.2.2/libpius/signer.py
+++ b/pius/pius-2.2.2/libpius/signer.py
@@ -490,7 +490,7 @@ class PiusSigner(object):
cmd = [self.gpg] + self.gpg_base_opts + self.gpg_quiet_opts + [
'--no-default-keyring',
'--keyring', self.tmp_keyring,

   '--import-options', 'import-minimal',

   '--import-options', 'import-minimal,keep-ownertrust',
   '--import', path,

]
self._run_and_check_status(cmd)

Many thanks for providing this awesome tool.

Kind regards,
Piet

Keyringmanager can't create a keyring in raw mode

[ludo@Oulanl pius]$ pius-keyring-mgr raw -r /home/ludovic/sfoksp2017.gpg -- --recv-key 0x10645351F62D42C389A299A9AACCAC21430AF5E7
gpg: keyblock resource /home/ludovic/sfoksp2017.gpg': file open error gpg: requesting key 430AF5E7 from hkp server ipv6.pool.sks-keyservers.net gpg: no writable keyring found: eof gpg: error reading [stream]': general error
gpg: Total number processed: 0
[ludo@Oulanl pius]$

libpius doesn't work work with MacGPG

I have MacGPG installed on my Mac. This is a binary package that identifies itself as:

$ gpg --version
gpg (GnuPG/MacGPG2) 2.0.28

This does not match the regex in line 92 of signer.py.

Any chance you could patch pius to support MacGPG (or change the regex to be more lenient)?

NameError: global name 'parser' is not defined

I installed pius from brew on Mac OS, I am currently stuck with this undefined 'parser' error.
Any idea what is that and how to solve it?

Welcome to PIUS, the PGP Individual UID Signer.

Traceback (most recent call last):
  File "/usr/local/bin/pius", line 342, in <module>
    main()
  File "/usr/local/bin/pius", line 275, in main
    options.mail_host
  File "/usr/local/Cellar/pius/2.2.4_1/libexec/lib/python2.7/site-packages/libpius/signer.py", line 91, in __init__
    parser.error('You chose interactive mode but do not have the pexpect'
NameError: global name 'parser' is not defined

`KEY_CONSIDERED` response of GnuPG 2.1 not handled

Hello,

GnuPG 2.1.13 provides new KEY_CONSIDERED messages on its status fd, which provide information about the key lookup process that's going on (see doc/DETAILS in the GnuPG source.)

As of Pius 2.2.2, these messages are not handled, leading:

DEBUG: Sending sign command
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Waiting for response
DEBUG: Got [GNUPG:] KEY_CONSIDERED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0

  ERROR: GnuPG reported an unknown error

The attached patch appears to solve the problem.

Thanks,
Ludo'.
key-considered-patch.txt

Error on passphrase prompt

Howdy Phil. I'm trying to sign the SCaLE 14x keyring and running into problems.

=== Command:
python2.7 ./pius -d -r ~/scale-14x-keyring.gpg -s (mykeyid) -A -a -m (myemail) -I

=== Error:
DEBUG: Confirming signing
DEBUG: Waiting for line [GNUPG:] GOT_IT
DEBUG: got line [GNUPG:] GOT_IT
DEBUG: Got [GNUPG:] USERID_HINT (REDACTED ... info on my GPG key here)
DEBUG: Got [GNUPG:] ERROR get_passphrase (REDACTED ... some numbers, not sure if they're relevant to my key as well)

ERROR: Agent reported an error.

gpg-agent problems, bailing out!

=== Version Stuff:
Pius 2.2.2 Release

$ gpg --help | head -n 14
gpg (GnuPG) 2.0.28
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ emerge --info | head -n 8
Portage 2.2.20.1 (python 3.4.1-final-0, default/linux/amd64/13.0/desktop/kde, gcc-4.9.3, glibc-2.21-r1, 4.1.12-gentoo x86_64)

System uname: Linux-4.1.12-gentoo-x86_64-Intel-R-_Core-TM-i7-5820K_CPU@_3.30GHz-with-gentoo-2.2
KiB Mem: 16369812 total, 106740 free
KiB Swap: 0 total, 0 free
Timestamp of repository gentoo: Wed, 17 Feb 2016 19:00:01 +0000
sh bash 4.3_p39
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1

Overriding the default mail doesn't replace placeholder statements correctly

I decided to replace the default mail used by pius and specify mine instead. I have kept most of the structure, and have just changed some sentences. But after doing some test, I realized statements like <keyid>, <signer>, <email> and <file> where not replaced with the appropriate strings, like this is the case with the default mail template.

I also realized that the statement <file> present in the default template is never (AFAIK) replaced. My tests confirm this issue, the code mailer.py#L107 as well (no <file> statement) and no file parameter to the method _get_email_body.

Pius crashes when signing

Using the latest version of pius, 2.2.1, with gnupg 2.1.9 on Archlinux, pius can crash in two different ways when signing:

File "/usr/bin/pius", line 333, in 
main()
File "/usr/bin/pius", line 317, in main
if signer.sign_all_uids(key, retval):
File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 781, in sign_all_uids
self.mailer.send_sig_mail(self.signer, key, uid, self)
File "/usr/lib/python2.7/site-packages/libpius/mailer.py", line 225, in send_sig_mail
signer, uid_data['email'], keyid, uid_data['file'], psign
File "/usr/lib/python2.7/site-packages/libpius/mailer.py", line 175, in _generate_pgp_mime_email
psigner.encrypt_and_sign_file(tmpfile, signed_tmpfile, keyid)
File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 876, in encrypt_and_sign_file
raise EncryptionUnknownError(line)
libpius.exceptions.EncryptionUnknownError: [GNUPG:] PINENTRY_LAUNCHED 10282

Traceback (most recent call last):
  File "/usr/bin/pius", line 333, in 
    main()
  File "/usr/bin/pius", line 317, in main
    if signer.sign_all_uids(key, retval):
  File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 781, in sign_all_uids
    self.mailer.send_sig_mail(self.signer, key, uid, self)
  File "/usr/lib/python2.7/site-packages/libpius/mailer.py", line 225, in send_sig_mail
    signer, uid_data['email'], keyid, uid_data['file'], psign
  File "/usr/lib/python2.7/site-packages/libpius/mailer.py", line 175, in _generate_pgp_mime_email
    psigner.encrypt_and_sign_file(tmpfile, signed_tmpfile, keyid)
  File "/usr/lib/python2.7/site-packages/libpius/signer.py", line 876, in encrypt_and_sign_file
    raise EncryptionUnknownError(line)
libpius.exceptions.EncryptionUnknownError: [GNUPG:] PROGRESS need_entropy X 8 16

It seems it has already been fixed in 79d096e and 325b1fb. Is it possible to release a new version with these changes?

Thanks!

piusrc doesn't handle `~` for paths

For a config file, tilde-expansion needs to be handled when reading the file instead of leaving it to the shell.

Desired to work in ~/.pius/piusrc:

mail-text=~/.pius/mail-template

This lets the config be checked into revision control and checked out in multiple environments.

GITHUB link is dead in https://www.phildev.net/pius/

The GITHUB link is dead on the pius page https://www.phildev.net/pius/
It points to github.net instead of github.com

mgr shouldn't generate keybox format

Currently on gpg 2.2 where the default keyring format is keybox, pius-keyring-mgr will generate a keybox format keyring. This is problematic for several reasons:

It means that other implementations - notably gpg 2.1 - can't read it properly - they think the keys are invalid
gpg 2.2 won't "import" keybox keyrings, which means the -I option on pius itself fails for people using it. This lead to #74 which wasn't the correct fix.

Instead, pius-keyring-mgr should always export the keyrings to make a "gpg key public ring" format file, which is standard and can be read by all versions and any compatible implementation.

pius crashes if /tmp folder already exists

If pius crashes under a particular user (userA) and later userB attempts to use pius, userB will find that pius crashes in several different spots because of the files left in /tmp by userA.

pius should probably:

Create temp directories per-pid to avoid races
Attempt to clean them on abnormal exit, if at all possible.

Observed on 2.1.1-3.fc22.

allow sending mail via external programs

Ideally it would be possible to send mail via external programs, like msmtp. In fact, I wonder if it would make more sense for pius to rely on external programs for sending mail? That way it wouldn't have to duplicate that functionality in libpius.mailer.

worksheet generator needs to know about NIST keys

gpg can't parse some newer keys and thus party-worksheet should use gpg2

[ludo@Oulanl pius]$ ./pius-party-worksheet /home/ludo/sfoksp2017.gpg >kspsfo.html
gpg: assuming bad signature from key DBAFEC0F due to an unknown critical bit
Use of uninitialized value $owner in substitution (s///) at ./pius-party-worksheet line 114.
Use of uninitialized value $owner in substitution (s///) at ./pius-party-worksheet line 115.
Use of uninitialized value $owner in substitution (s///) at ./pius-party-worksheet line 116.
Use of uninitialized value $owner in hash element at ./pius-party-worksheet line 118.
Use of uninitialized value in concatenation (.) or string at ./pius-party-worksheet line 139.

Incorrect RPM specification file

RPM specification file seems to be incorrect as it has missing/incorrect file specs:

pius-report
libpius
README instad of README.md
README.keyring-mgr instead of README-keyring-mgr

That being said, I did not try to build an RPM package (don't own such a system). I found this by browsing around the source package as I ran into the issue of missing libpius while making a Gentoo ebuild for v2.2.1.

Provide information when there's an agent error

For example

"are you using pinentry-curses? if so, you will want to run some action to go ahead and load your key into your agent before using pius" ... etc.

Default output directory emptied when used offline without specifying -o

Ran command:
$ pius -r somekeyring.gpg -A -s 0xSomeid

Expected result:
/tmp/pius_out containing signed keys

Actual result:
/tmp/pius_out contained only 2 random signed uid-s instead of all found in the keyring

If command ran is:
$ pius -r somekeyring.gpg -A -s 0xSomeid -e -o /tmp/signed_keys

Actual result is as expected:
All signed and encrypted signed UID-s are stored in /tmp/signed keys.

As I did not run with -o but without -e, so I'm not sure whether this bug is triggered by the missing -o or the missing -e parameter.

Version used:
pius-2.0.7 on Debian Wheezy (armhf), but apparently this is not fixed in later versions either.

Python 3 support

[ Migrated from: https://sourceforge.net/p/pgpius/feature-requests/6/ ]

The script is currently written in python 2. Some users would like it to run under python 3.

please do a new release

The commit merged in #44 resolves a fatal issue with my basic use case:

$ pius --keyring=~/.gnupg/pubring.kbx --use-agent -s <my-keyid> <another-person>
...
Signing all UIDs on key <another-person>
  There are 3 UIDs on this key to sign
  UID 1 (<uid-1>):   ERROR: GnuPG reported an unknown error
  UID 2 (<uid-2>):   ERROR: GnuPG reported an unknown error
  UID 3 (<uid-3>):   ERROR: GnuPG reported an unknown error

The specific problem is that KEY_CONSIDERED is not handled in the latest release (2.2.2).

I use gpg and gpg-agent 2.1 because that is what Guix currently packages. If I switched to gpg 2.0, I would not have this problem but would run into another problem: gpg <2.1 cannot read keybox (.kbx) files, the new standard for pubring and trustdb that gpg 2.1 automatically migrates to. My only reasonable option (which did not involve hacking my keyring files) was to clone this repository.

Can somebody do a new release so we can package a working version for Guix?

jaymzh / pius Goto Github PK

pius's Introduction

PIUS: The PGP Individual UID Signer

Introduction

Installation

Usage

Security Implications

Sending Emails

Other Platforms

Config File

History

License

pius's People

Contributors

Stargazers

Watchers

Forkers

pius's Issues

Summary

Description

Stacktrace

Summary

Description

Stacktrace

Summary

Description

Stacktrace

$ emerge --info | head -n 8 Portage 2.2.20.1 (python 3.4.1-final-0, default/linux/amd64/13.0/desktop/kde, gcc-4.9.3, glibc-2.21-r1, 4.1.12-gentoo x86_64)

Recommend Projects

Recommend Topics

Recommend Org

$ emerge --info | head -n 8
Portage 2.2.20.1 (python 3.4.1-final-0, default/linux/amd64/13.0/desktop/kde, gcc-4.9.3, glibc-2.21-r1, 4.1.12-gentoo x86_64)