[TriLUG] Signing GPG/PGP keys

Tanner Lovelace lovelace at wayfarer.org
Fri Jul 11 11:17:03 EDT 2003


So, you've just come back from the TriLUG meeting last night with a 
bunch of paper slips with people's key information on them and you're
trying to figure out what to do.  Here's a (hopefully) step-by-step
procedure you can use to download, veryify, sign, and send off
a key that you have the information for. (Note this is from the
perspective of gpg.  Other programs will use similar concepts although
the specifics will be different.)

1) Download keys
   
You may or may not have the keys you collected last night in your
gpg keyring.  If you don't, you can first try downloading the
TriLUG PGP keyring (url is also at the bottom of this message).
If you trust us O:-), you can use this command:

lynx -source http://trilug.org/~chrish/trilug.asc | gpg --import

Alternatively, you can download that file and import it manually.
To check if you have they key you want to sign, try this command:

gpg --list-keys <email address>

If you see the person's key, great!  If not, take a look at the
key ID on the slip of paper you got.  It will be 8 hexidecimal
characters (or alternatively, the last 8 chars of the fingerprint
which is that really long mess of hex chars).  Note that and do this:

gpg --keyserver subkeys.pgp.net --recv-keys <key id>

If the key is on the keyserver, it will download it.  If not, well,
then e-mail the person asking for their key.

2) Verify the key matches the information you collected.

Take the information you collected at the meeting last night (you
did verify that it was from the correct person, right?) and put it 
in front of you.  Type the following command:

gpg --fingerprint <key id or email address>

That should bring up a fingerprint of the key in question.  Verify
that the long mess of hexidecimal digits on the sheet you received
from the person matches what your computer says.  In addition,
make sure the size and key type are the same too.  If all of these
match, congratulations, you have verified the key is correct. It's 
now time to sign this key. :-)

3) Sign key.

Make sure you have the key id and type this command:

gpg --sign-key <key id>

Answer the questions there.  One question in particular that comes
up is if the key has an expiration date should I also expire my
signature at that time.  I generally don't because if the key is 
expired it's no good anyway, and if the signature expires and the
key expiration is extended that person just has to get your signature
again.  Either way, though, it's your choice.  Finish answering the 
questions and then type in your pass phrase (you did set an entire
phrase as the pass phrase instead of just one word, right? ;-)
Specify you want to save it and voila! you've signed the key.

4) Publish key.

If the person has asked you to send the key to a keyserver, you can
do the following command:

gpg --keyserver subkeys.pgp.net --send-keys <key id>

If you're not sure if they want the key on the key server, you shouldn't
send it there.  Instead, extract the key in ascii format and send
it back to them.  This is the command to extract the key:

gpg --export -a <key id> > <filename>.asc

Take that file and send it to the person in question and let them
publish it as they see fit.

And that's it.  You should now be able to sign anyone's key.  

Please note that if I've forgotten something, gotten something wrong,
please feel free to correct me. :-)

Cheers,
Tanner
-- 
Tanner Lovelace | lovelace(at)wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
Have we sent the "Don't shoot, we're pathetic" transmission yet? 
                                Commander John Crichton (Farscape)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030711/cb86aabb/attachment.pgp>


More information about the TriLUG mailing list