#use wml::debian::template title="Keysigning" # $Id$
Since a lot of developers meet at trade shows or conferences they have become a nice way to get other people sign ones OpenPGP key and improve the web of trust. Especially for people who are new to the project, keysigning and meeting other developers has been very interesting.
This document intends to help you with running a keysigning
session. Note that all examples use keyring.debian.org
as
the keyserver. If the key in question is not in the Debian keyring,
replace keyring.debian.org
with a public
keyserver like keys.openpgp.org
(which is a validating
key server).
People should only sign a key under at least two conditions:
Most importantly, if the key owner is not actively participating in the exchange, you won't be able to complete either requisite 1 or 2. Nobody can complete the key owner's part of requisite 1 on the key owner's behalf, because otherwise anyone with a stolen ID card could easily get an OpenPGP key to go with it by pretending to be an agent of the keyowner. Nobody can complete the key owner's part of requisite 2 on the key owner's behalf, since the agent could substitute the fingerprint for a different OpenPGP key with the key owner's name on it and get someone to sign the wrong key.
gpg --gen-key
.
gpg --keyserver keyring.debian.org --recv-keys 0xDEADBEEF
Note that we can use the last eight hex digits of the fingerprint in this and other GnuPG operations. The 0x in front is also optional.
gpg --edit-key 0xDEADBEEF
uid n
, where
n
is the number of the uid shown in the menu. You can
also press enter to sign all the uids. sign
. You will then be shown
the fingerprint and length of they key which you have to compare
with the one you've got from the person you met.
quit
gpg --list-sigs 0xDEADBEEF
You should see your own name and fingerprint (in short form) in the output.
gpg --export -a 0xDEADBEEF > someguys.key
The -a
option exports the key in ASCII format so it can
be emailed without the possibility of corruption.
gpg --import --import-options merge-only mysigned.key gpg --keyserver keyring.debian.org --send-keys <your key id>
It may take a while for the keyring maintainers to update your key so be patient. You should also upload your updated key to the public keyservers.
The signing-party Debian package provides some tools to help you with this process. gpg-key2ps turns an OpenPGP key into a PostScript file to print paper slips with your fingerprint, and gpg-mailkeys will email a signed key to its author. The package also includes caff which is a more advanced tool. See the package documentation for more information.
You should never sign a key for somebody else you haven't met personally. Signing a key based on anything other than first-hand knowledge destroys the utility of the Web of Trust. If ones friend presents other developers with your ID card and your fingerprint, but you are not there to verify that the fingerprint belongs to you, what do other developers have to link the fingerprint to the ID? They have only the friend's word, and the other signatures on your key -- this is no better than if they signed your key just because other people have signed it!
It is nice to get more signatures on ones key, and it is tempting to cut a few corners along the way. But having trustworthy signatures is more important than having many signatures, so it's very important that we keep the keysigning process as pure as we can. Signing someone else's key is an endorsement that you have first-hand evidence of the keyholder's identity. If you sign it when you don't really mean it, the Web of Trust can no longer be trusted.