[Debian-uk] GPG keys and QR codes

Lars Wirzenius liw at liw.fi
Sun Aug 18 11:43:05 BST 2013 

On Sat, Aug 17, 2013 at 09:32:00AM +0100, Colin Tuckley wrote:
> With the BBQ coming up and the associated keysigning that implies I was
> thinking about ways of exchanging key fingerprints and it occurred to me
> that maybe QR Codes would help.
> 
> A quick Google turned up https://github.com/psychomario/Key2QR
> 
> Has anyone else thought about this and maybe got further towards a
> usable system where people could swap key fingerprints by scanning each
> others QR coded Public key info?

/me dons paranoid hat

QR codes are fun and can be very useful. They are not, however, human
readable, and for key signing their use needs to be considered carefully.
As long as the QR code is used to save some typing, and the actual
verification happens of cleartext, it's probably a good idea. What I mean
is, the QR code should be accompanied by a cleartext key information
(name, key fingerprint), and after the QR code is decoded on their own
system should see the same cleartext information. A bad scenario would
be that you are given only a QR code on paper, and you take a photo of
that, see a name and a fingerprint, and sign that. This opens an attack
vector where either the QR generating code modifies the fingerprint,
or the QR scanning code does that.

This is not a very likely attack, of course. I wouldn't have thought a
photocopier alters numbers on a page, either, and that's now happening
(though not, it seems, intentionally.)

/me removes paranoid hat

I had a quick play with the Key2QR script.

* Does not use proper shell quoting at all times.
* Encodes the entire public or private key in the QR code: as Colin
  said on IRC just now, it's probably meant for key backup rather
  than key signing.
* Takes a long time for me to run (at least six minutes), and then
  fails, except it exits with 0. Also leaves some temporary files
  around.

Overall, I'm not impressed.

I've attached a quick hack to do what Colin suggests. There may be
existing tools, but it's Sunday morning and if I can't NIH on a
Sunday morning, when can I?

-- 
http://www.cafepress.com/trunktees -- geeky funny T-shirts
http://gtdfh.branchable.com/ -- GTD for hackers
-------------- next part --------------
#!/bin/sh
#
# A small script to produce a PDF with key slips for exchanging PGP
# key information for key signing purposes.
#
# Requires gpg, qrencode, and pandoc (with TeX stuff).
#
# Usage: $0 keyid...

set -eu

temp=$(mktemp)
trap 'rm -f "$temp"' EXIT

for keyid in "$@"
do
    # Save key info to a file.
    gpg --fingerprint "$keyid" > "$keyid.mdwn"

    # Generate QR code for key info.
    qrencode $(cat "$keyid.mdwn") -o "$keyid.png"

    # Indent the key info by four spaces, so its a code block.
    sed -i 's/^/    /' "$keyid.mdwn"

    # Include the QR code.
    cat <<EOF >> "$keyid.mdwn"

![Key information as QR]($keyid.png)\\ 

EOF

    # Duplicate it a few times to have many keyslips per page.  With
    # my key, experimentation shows 2 slips will fit on one
    # page. That's obviously dependent on how many usernames a key
    # has.
    #
    # Someone who understands pandoc better might tweak margins and
    # font sizes enough that more can be fit on the page. Or someone
    # could do the formatting with another tool, which could allow
    # for a tighter layout.
    for i in $(seq 2)
    do
	cat "$keyid.mdwn"
    done | 
    sponge "$keyid.mdwn"

    # Produce a PDF.
    pandoc -f markdown -o "$keyid.pdf" "$keyid.mdwn"
done

More information about the Debian-uk mailing list