Last night, before going out for post-conference merriness after OpenTech 2008 (a really cool event, btw), I took part in a bit of a key-signing party. Key-signing has been made fun of on XKCD (leading to reader confusion). While I was there, David McBride showed me a tool on Debian Linux called "Caff" - it's up on the web here, described as a CA (as in Certificate Authority) "fire and forget" tool.
I looked at it, but it was a jumble of highly mind-bending Perl code, so I decided to rewrite it. In Ruby. For the Mac. After a lot of frustration, it's done. And I present KeyRub. KeyRub takes a space-separated list of GPG short-hexes (mine is "A6A4F54E"), goes online, grabs the key, shows you the fingerprint of the key, then presents you with the prompt to sign the key. If you choose to sign the key, it then makes an encrypted version of the key with your signature available for each of the listed e-mail addresses and mails them out. This is a much quicker process than sending random data out and then waiting for a response, then signing, then publishing. It also means that the signee can choose to publish your signature only if they want to.
In addition, because storing e-mail server passwords in plaintext just sucks, I have used the "security" command line utility (which is a command-line interface to the OS X Keychain - and boy is it easier to use it this way than faffing around with Python or Ruby Objective-C bindings) to get my Gmail password out. Obviously, this won't work on non-OS X systems. And if this script wasn't built only for my own usage, I'd make it so that it would extract my Gmail username from the Keychain also. But that isn't likely to change too often. Hint: if you are building command-line-based scripts that interact with servers or APIs, use the Keychain on OS X. It rocks.
What is all this key-signing stuff about? Well, you should start using GPG. Even our supposedly liberal, freedom-respecting, Western governments are screwing around with our privacy, and GPG allows you to fight back. Use it to encrypt your e-mails and files, as well as do things like sign software (this is tremendously useful - if you make a piece of software, signing it means that others can redistribute it, safe in the knowledge that others can check its veracity). If you are in London, I am often at geek events, and am always willing to sign keys - my policy is I accept only government-issued IDs (passport or driving licence) with discretionary cultural name variability (ie. if your passport says "Thomas" but your key says "Tom", that's fine - if your passport says "Thomas" and your key says "31337h@x0rZftw!1!", think again).
