Ten Steps for attending a keysigning party

7 September 2007

A key signing party can be an event of its own, or it might be at a user group meeting, or at a conference, or at a workplace. The idea is to increase the 'web of trust' and thus strengthen the system as a whole, as well as making your own key more trusted. Alex Willmer explains what you need to do to participate in a key signing party, using GNU Privacy Guard.

You can use either the command line gpg tool or a GUI front end such as seahorse. The command line approach goes as follows:

0. Generate a key

If you've not already done so, generate a key pair:

$ gpg --gen-key

1. Get your key ID

Find your public key, by typing this:

$ gpg --list-keys

This gives the results as below, the uid should match your name and chosen email address. Note the id, on the line labelled 'pub':

> /home/alex/.gnupg/pubring.gpg
-----------------------------
pub 1024D/5A6F95BE 2007-02-08
uid Alex Willmer <alex at moreati.org.uk>
sub 2048g/63329941 2007-02-08

2. Upload your key

Publish your public key to a keyserver, use the keyserver option:

$ gpg --keyserver ldap://keyserver.pgp.com --send-keys 5A6F95BE

Which should respond as follows:

> gpg: sending key 5A6F95BE to ldap server keyserver.pgp.com

3. Print your key fingerprint

Type the following, using the id from step 1.

$ gpg --fingerprint 5A6F95BE

The result is your keyfingerprint of your public key, as shown below.

> pub 1024D/5A6F95BE 2007-02-08
Key fingerprint = C9CD 3335 C138 7291 2022 F30D 2E51 C57B 5A6F 95BE
uid Alex Willmer <alex at moreati.org.uk>
sub 2048g/63329941 2007-02-08

Print your fingerprint onto paper, you should be able to get quite a few on a page, which you can then cut into slips. This also may be achieved with the command gpg-key2ps.

4. Go to the party!

Bring the slips and credentials that prove your identity to the key signing party. Normally parties require you to bring credentials that include a photo (e.g. your passport or drivers licence).

5. Give out slips

Give a fingerprint slip to anybody you wish to sign your key, and allow them to verify your identity using your credentials.

6. Take slips

Verify in person, the identity of anybody you accept a slip from. Ensure the slip has a uid matching their name.

Note that it is anti-social to take slips and just throw them away or forget about them. If you take a slip from someone then it is polite to actually use it by doing steps 7+8.

7. Verify the key fingerprints of your acquaintances

Once home, using the id from each slip, download and verify the fingerprint of each person's key:

$ gpg --keyserver ldap://keyserver.pgp.com --recv-keys [key_id]

$ gpg --fingerprint [key_id]

8. Upload your acquaintances' keys

Sign each of the verified keys, upload them to a keyserver:

$ gpg --sign-key [key_id]

$ gpg --keyserver ldap://keyserver.pgp.com --send-key [key_id]

9. Use GPG!

You can now sign emails and anybody who signed your key can verify that email was sent by you and has not been modified. Additionally, you can encrypt anything you send to a person whose key you have signed.

10. Advanced usage

There are optional, additional steps such as encrypting a signed key and sending it to the listed uid. By receiving the signed key and decrypting it, they prove access to the email address and control of the private key.

More Information

1 Alex Willmer says...

Hi Zeth,

Thankyou for putting the guide up and doing a cleanup. Just one quibble: my key 1024D/5A6F95BE goes with the email address <alex@moreati.org.uk>. I'm not sure what alex at commandline.org.uk is.

Feel free to include my address as is, I try to avoid armouring. I quite like Seahorse, the default Gnome keyring manager myself, which can do all of the above. I'm more of a command line tourist.

Regards, Alex

PS I realise it's bad form not to sign this comment. Sorry.

Posted at 12:50 p.m. on September 24, 2007

2 Mr Stuff says...

It seems I can't convince a single person to use GPG for anything at all! Whenever I recommend it to someone and offer to help them through it step by step, these otherwise intelligent people just turn into morons! It's such a shame. GPG is very fit for purpose and EASY TO USE.

Posted at 7 p.m. on December 16, 2007

What do you have to say?

Show Editing Help

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Omar Zabaneh

July 25, 2008
Zeth, Thank you for this post, very helpful. I used it as a basis for my own email validation function that i wish to share with you, in a selfish ...
→ Email Syntax Check in Python

Double Booting Bastard

July 24, 2008
I agree with Nui, Linux is great for many things but not everything. A lot of, less mainstream, hardware is a time consuming and often fruitless task to install and ...
→ Give Linux a chance

John

July 23, 2008
Duncan, sadly the permissions are stored with the data (inode), not with the directory entries (hard-links). Zeth needs ACLs -- no way to do this with basic unix permissions.
→ Advanced Unix Groups

Garrick

July 21, 2008
I do love my iPhone. That being said, I would trade it in a heartbeat for a STABLE Openmoko FreeRunner.
→ This week - iPhone vs a can of compressed air, and Django NewFormsAdmin

Daniel Davies

July 21, 2008
With regards to your last paragraph, you are certainly correct. Right now Django is a nightmare to use across multiple sites... we have some sites running the newformsadmin branch, others ...
→ This week - iPhone vs a can of compressed air, and Django NewFormsAdmin

Nui

July 18, 2008
Hmm, this would be more persuasive as an argument with some evidence. I am a happy admin of Windows and a novice user of Linux, so I have taken the ...
→ Give Linux a chance

Paddy3118

July 18, 2008
Hi, I too work with Electronic Design Automation tools, where Tcl is used extensively. I tend to only occasionally have to write in Tcl and so find the TclTutor utility: ...
→ Python and TCL

Cliff Wells

July 17, 2008
I personally cannot live without the Web Developer extension or Firebug. Unfortunately these are probably both among the more difficult to port extensions. Given how poorly Firefox functions on Linux ...
→ Will Epiphany be able to compete with Firefox's extensions?

Åke Forslund

July 13, 2008
I'm pretty much a novice in both of these languages but I find them both easy to use and preform the tasks I give them. However I rarely use them ...
→ Python and TCL

Christopher Thoday

July 12, 2008
A single test is not sufficient to give you confidence that the algorithm is working. You should make 'number' an argument of 'main' so that you can test some boundary ...
→ Python and TCL

paul21

July 10, 2008
Shame on Mozilla. They should make developers specify the extension license before hosting it. They should show the license next to download button as well.
→ Are your Firefox extensions proprietary software?

Tris

July 8, 2008
Justin - You say they had not heard of Linux? That doesn't sound very professional to me!
→ Give Linux a chance

michael

July 8, 2008
what about Galeon? in Gnome i use Galeon mostly. it is fast and stable and has a nice portal with search masks for Debian, FSF, Freshmeat and so on. wtf ...
→ Will Epiphany be able to compete with Firefox's extensions?

vermin

July 7, 2008
> Eventually, after a bit of digging and Googling, I found their Toolbar-License... You simply found the license of the StumbleUpon Toolbar for Internet Explorer. This is another product, much ...
→ Are your Firefox extensions proprietary software?

Andrew West

July 6, 2008
Both the Python and the Tcl example could do with error checking. While at first this may not seem on topic with the post I think it better shows the ...
→ Python and TCL

COMMAND LINE WARRIORS

Taking Control of your Own Technology