Monkeysign: OpenPGP Key Exchange for Humans

monkeysign is a tool to overhaul the OpenPGP keysigning experience and bring it closer to something that most primates can understand. The project makes use of cheap digital cameras and the type of bar code known as a QRcode to provide a human-friendly yet still-secure keysigning experience. No more reciting tedious strings of hexadecimal characters. And, you can build a little rogue's gallery of the people that you have met and exchanged keys with!

Monkeysign also features a user-friendly commandline tool to sign OpenGPG keys following the current best practices. It is like caff but better: it supports local signatures, SMTP communication, and so on.

Monkeysign was written by Jerome Charaoui and Antoine Beaupré and is licensed under GPLv3.

Features

  • commandline and GUI interface
  • GUI supports exchanging fingerprints with qrcodes
  • print your OpenPGP fingerprint on a QRcode
  • key signature done on a separate keyring
  • signature sent in a crypted email to ensure:
    1. the signee controls the signed email
    2. the signee really controls the key
  • local ("non-exportable") signatures
  • send through local email server or SMTP

Installing

Monkeysign should be available in Debian and soon in Ubuntu, but can also easily be installed from source.

Requirements

The following Python packages are required for the GUI to work.

python-qrencode python-gtk2 python-zbar python-zbarpygtk

If they are not available, the commandline signing tool should still work but doesn't recognize QR codes.

Of course, all this depends on the GnuPG program.

In Debian

Monkeysign is now in Debian, since Jessie (and backported to Wheezy). To install it, just run:

apt-get install monkeysign

From git

You can fetch monkeysign with git:

git clone git://git.monkeysphere.info/monkeysign

From source

The source tarball is also available directly from the Debian mirrors here:

http://cdn.debian.net/debian/pool/main/m/monkeysign/

The .tar.gz file has a checksum, cryptographically signed, in the .dsc file.

Installing from source

To install monkeysign, run:

sudo ./setup.py install --record=install.log

Running

The graphical interface should be self-explanatory, it should be in your menus or call it with:

monkeyscan

The commandline interface should provide you with a complete help file when called with --help:

monkeysign --help

For example, to sign a given fingerprint:

monkeysign 90ABCDEF1234567890ABCDEF1234567890ABCDEF

This will fetch the key from your keyring (or a keyserver) and sign it in a temporary keyring, then encrypt the signature and send it in an email to the owner of the key.

Bug reports and support

Bug reports are welcome in the Debian BTS, even if you are not running Debian (because I don't have any other place to put those bugs, and it's a native package). Use the reportbug package to report a bug if you run Debian (or Ubuntu), otherwise send an email to submit@bugs.debian.org, with content like this:

To: submit@bugs.debian.org
From: you@example.com
Subject: fails to frobnicate

Package: monkeysign
Version: 1.0

Monkeysign fails to frobnicate.

I tried to do...

I was expecting...

And instead I had this backtrace...

I am running Arch Linux 2013.07.01, Python 2.7.5-1 under a amd64
architecture.

See also the complete instructions for more information on how to use the Debian bugtracker.

You can also browse the existing bug reports.

Similar projects