Image of the glider from the Game of Life by John Conway
Skip to content

Create Your Own Graphical Web of Trust

I created my GnuPG key back in 2004, and I've been very active with it since (thank you Glen). I have also seen graphical representations of the Web of Trust for a specific public keyring, and I've always been curious how I could create my own. Well, last night I finally buckled down and figured it out. So, hopefully, this will be of interest for some. In case you're curious, this is what I'm talking about.

First, make sure you have the gnupg, sig2dot, graphviz and imagemagick packages installed. You will need various tools from each of these. Of course, you'll also need access to your public keyring. This is generally found in the ~/.gnupg/pubring.gpg file.

First, the sig2dot package just provides a single Perl script that reads signatures in an OpenPGP/GPG keyring, and creates a "dot" file. This dot file is just an ASCII file that describes the relationships between the signatures in the file, and their distance to/from each other. However, the dot file by itself isn't very interesting. So, we can covert that dot file to a PostScript file or an image directly. Personally, I have found that creating the PostScript file, then converting to an image from that to produce better results than going directly from the dot file to an image. Of course, one you have your image, you're done.

So, here's the commands in order that are needed to create your graphical web of trust. I do everything in my ~/.gnupg/ directory, as you can see. Feel free to do this wherever you wish:

$ gpg --list-sigs --keyring ~/.gnupg./pubring.gpg | sig2dot > ~/.gnupg/ 2> ~/.gnupg/pubring.error.txt
$ neato -Tps ~/.gnupg/ > ~/.gnupg/
$ convert ~/.gnupg/ ~/.gnupg/pubring.gif

This should take a bit, depending on the size of your pubring.gpg file. On my dual core, with 4GB RAM, it takes about 45 seconds from start to finish, which is a bit longer than you initially would expect. Also, some have reported that the "neato" command doesn't work for them. So, the graphviz package also provides the "dot" binary for working on dot file. So, instead, you could run:

$ gpg --list-sigs --keyring ~/.gnupg./pubring.gpg | sig2dot > ~/.gnupg/ 2> ~/.gnupg/pubring.error.txt
$ dot -Tps ~/.gnupg/ > ~/.gnupg/
$ convert ~/.gnupg/ ~/.gnupg/pubring.gif

You'll notice that I'm saving the STDERR output to "~/.gnupg/pubring.error.txt". I'm only doing this for logging purposes. Also, feel free to experiment with the options for both neato/dot and convert. I like the GIF format, as it's 1/10 the size of the equivalent PNG, so it's great to put up on web pages to save bandwidth. I believe neato/dot supports SVG, so you could try that as well.

At any event, you might want to save the above in a script in your ~/.gnupg/ directory, in case you want to update your web of trust image. Here's mine:

Happy hacking!

{ 3 } Comments