Zürich Hackathon 2014/Topics/PostKeySigning
First things first
edit- Put your KEYID here separated by spaces, please, for easy copy/paste for others:
- FAC81C7D 21923CF1 2E322E62 FFE6E478 33A9C8F1 B57DAF9C <your-keyid>
The easy way (for Debian-based distributions)
edit- Install the signing-party package
- setup caff
- NOTE: Getting the long key id is possible with opengpg with "--list-keys --with-colons"
- sample config (greg's)
- run caff (the arguments is the list of keyids you're wanting to sign)
Notes:
- If you don't have an in-use sendmail (or similar) setup your emails may be blocked by eg google mail. If that's the case, a safe approach is to create a tarball of all the key signatures for a given person (caff creates one keysig file per email) and encrypt it to the person (gpg --encrypt --recipient <recipientemail> theirsigs.tar) and email that as an attachment using your normal mail client.
The manual way
editStep 1: Get a copy of the key
editNormally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg --import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring.
bash$ gpg --keyserver pgp.mit.edu --recv-keys <Key_ID>
If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.
Step 2: Fingerprint and Verify the key
editbash$ gpg --fingerprint <Key_ID>
GPG will print out the fingerprint of the Key with <Key_ID> (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.
Step 3: Sign the key
editbash$ gpg --sign-key <Key_ID>
If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:
bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>
Step 4: Return or Upload the signed key
editIf you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email (in other words, encrypt the signed key file, then email them that; gpg --armor --export FAC81C7D > file.key
to get a keyfile, then attach it to an email, encrypt the mail and attachment, and send it to the key owner). You should not send a public key to a keyserver without the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefore it is considered rude to make a key more public than its owner desires.
If no one responds negatively to the question about sharing the signatures publicly, feel free to do:
bash$ gpg --keyserver pgp.mit.edu --send-key <Key_ID>
You should see a success message like this:
gpg: success sending to `<keyserver>' (status=200)
Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.