• Put your KEYID here separated by spaces, please, for easy copy/paste for others:
  • FAC81C7D 21923CF1 2E322E62 FFE6E478 33A9C8F1 B57DAF9C <your-keyid>

• Install the signing-party package
• setup caff
  • NOTE: Getting the long key id is possible with opengpg with "--list-keys --with-colons"
  • sample config (greg's)
• run caff (the arguments is the list of keyids you're wanting to sign)

Notes:

• If you don't have an in-use sendmail (or similar) setup your emails may be blocked by eg google mail. If that's the case, a safe approach is to create a tarball of all the key signatures for a given person (caff creates one keysig file per email) and encrypt it to the person (gpg --encrypt --recipient <recipientemail> theirsigs.tar) and email that as an attachment using your normal mail client.

Step 1: Get a copy of the key edit

Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg --import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring.

  bash$ gpg --keyserver pgp.mit.edu --recv-keys <Key_ID>

If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

Step 2: Fingerprint and Verify the key edit

  bash$ gpg --fingerprint <Key_ID>

GPG will print out the fingerprint of the Key with <Key_ID> (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

Step 3: Sign the key edit

  bash$ gpg --sign-key <Key_ID>

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

  bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>

Step 4: Return or Upload the signed key edit

If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email (in other words, encrypt the signed key file, then email them that; gpg --armor --export FAC81C7D > file.key to get a keyfile, then attach it to an email, encrypt the mail and attachment, and send it to the key owner). You should not send a public key to a keyserver without the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefore it is considered rude to make a key more public than its owner desires.

If no one responds negatively to the question about sharing the signatures publicly, feel free to do:

  bash$ gpg --keyserver pgp.mit.edu --send-key <Key_ID>

You should see a success message like this:

  gpg: success sending to `<keyserver>' (status=200)

Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.