monkeysign is a tool to overhaul the OpenPGP keysigning experience and bring it closer to something that most primates can understand. The project makes use of cheap digital cameras and the type of bar code known as a QRcode to provide a human-friendly yet still-secure keysigning experience. No more reciting tedious strings of hexadecimal characters. And, you can build a little rogue's gallery of the people that you have met and exchanged keys with!
Monkeysign also features a user-friendly commandline tool to sign
OpenGPG keys following the current best practices. It is like
but better: it supports local signatures, SMTP communication, and so
Monkeysign was written by Jerome Charaoui and Antoine Beaupré and is licensed under GPLv3.
- commandline and GUI interface
- GUI supports exchanging fingerprints with qrcodes
- print your OpenPGP fingerprint on a QRcode
- key signature done on a separate keyring
- signature sent in a crypted email to ensure:
- the signee controls the signed email
- the signee really controls the key
- local ("non-exportable") signatures
- send through local email server or SMTP
Monkeysign should be available in Debian and soon in Ubuntu, but can also easily be installed from source.
The following Python packages are required for the GUI to work.
python-qrencode python-gtk2 python-zbar python-zbarpygtk
If they are not available, the commandline signing tool should still work but doesn't recognize QR codes.
Of course, all this depends on the GnuPG program.
Monkeysign is now in Debian, since Jessie (and backported to Wheezy). To install it, just run:
apt-get install monkeysign
You can fetch monkeysign with git:
git clone git://git.monkeysphere.info/monkeysign
The source tarball is also available directly from the Debian mirrors here:
.tar.gz file has a checksum, cryptographically signed, in the
To install monkeysign, run:
sudo ./setup.py install --record=install.log
The graphical interface should be self-explanatory, it should be in your menus or call it with:
The commandline interface should provide you with a complete help file
when called with
For example, to sign a given fingerprint:
This will fetch the key from your keyring (or a keyserver) and sign it in a temporary keyring, then encrypt the signature and send it in an email to the owner of the key.
Bug reports are welcome in the Debian BTS, even if you are not
running Debian (because I don't have any other place to put those
bugs, and it's a native package). Use the
reportbug package to
report a bug if you run Debian (or Ubuntu), otherwise send an email to
email@example.com, with content like this:
To: firstname.lastname@example.org From: email@example.com Subject: fails to frobnicate Package: monkeysign Version: 1.0 Monkeysign fails to frobnicate. I tried to do... I was expecting... And instead I had this backtrace... I am running Arch Linux 2013.07.01, Python 2.7.5-1 under a amd64 architecture.
See also the complete instructions for more information on how to use the Debian bugtracker.
You can also browse the existing bug reports.
GPG for Android (of the Guardian project) will import public keys in your device's keyring when they are found in QRcodes, so it should be able to talk with Monkeysign, but this remains to be tested. (Github project)