1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
#use wml::debian::template title="Keysigning"
# $Id$
<p>Since a lot of developers meet at trade shows or conferences they
have become a nice way to get other people sign ones GnuPG key and
improve the web of trust. Especially for people who are new to the
project, keysigning and meeting other developers has been very
interesting.</p>
<p>This document intends to help you with running a keysigning
session. Note that all examples use <code>keyring.debian.org</code> as
the keyserver. If the key in question is not in the Debian keyring,
replace <code>keyring.debian.org</code> with a public
keyserver like <code>wwwkeys.pgp.net</code> (which despite the name
also stores GnuPG keys.)</p>
<p>People should only sign a key under at least two conditions:</p>
<ol>
<li>The key owner convinces the signer that the identity in the UID is
indeed their own identity by whatever evidence the signer is
willing to accept as convincing. Usually this means the key owner
must present a government issued ID with a picture and information
that match up with the key owner. (Some signers know that
government issued ID's are easily forged and that the trustability
of the issuing authorities is often suspect and so they may require
additional and/or alternative evidence of identity).
</li>
<li>The key owner verifies that the fingerprint and the length of the
key about to be signed is indeed their own.
</li>
</ol>
<p>
Most importantly, if the key owner is not actively participating in
the exchange, you won't be able to complete either requisite 1 or 2.
Nobody can complete the key owner's part of requisite 1 on the key
owner's behalf, because otherwise anyone with a stolen ID card could
easily get a PGP key to go with it by pretending to be an agent of the
keyowner. Nobody can complete the key owner's part of requisite 2 on
the key owner's behalf, since the agent could substitute the
fingerprint for a different PGP key with the key owner's name on it
and get someone to sign the wrong key.
</p>
<ul>
<li> You need printed out GnuPG fingerprints, key lengths and an
identity card to prove your identity (passport, drivers license
or similar).
</li>
<li> The fingerprints and key lengths are given to other people who
ought to sign your key after the meeting.
</li>
<li> If you don't have a GnuPG key yet, create one with <code>gpg --gen-key</code>.
</li>
<li> Only sign a key if the identity of the person whose key to sign
is proven.
</li>
<li> After the meeting you'll have to fetch the GnuPG key in order to
sign it. The following may help:
<pre>
gpg --keyserver keyring.debian.org --recv-keys 0xDEADBEEF
</pre>
<p>Note that we can use the last eight hex digits of the fingerprint in this and
other GnuPG operations. The <tt>0x</tt> in front is also optional.</p>
</li>
<li> To sign the key, enter the edit menu with
<pre>
gpg --edit-key 0xDEADBEEF
</pre>
</li>
<li> In GnuPG select all uids to sign with <code>uid n</code>, where
<code>n</code> is the number of the uid shown in the menu. You can
also press enter to sign all the uids. </li>
<li> To sign a key, enter <code>sign</code>. You will then be shown
the fingerprint and length of they key which you have to compare
with the one you've got from the person you met.
</li>
<li> When asked for the level of certification, choose "casual".
</li>
<li> Quit GnuPG with <code>quit</code>
</li>
<li> To verify you have signed the key correctly, you can do:
<pre>
gpg --list-sigs 0xDEADBEEF
</pre>
<p>You should see your own name and fingerprint (in short form) in the
output.</p>
</li>
<li> Once everything looks good, you can send the signed key to
its recipient by doing:
<pre>
gpg --export -a 0xDEADBEEF > someguys.key
</pre>
<p>The <code>-a</code> option exports the key in ASCII format so it can
be emailed without the possibility of corruption.</p>
</li>
<li> If someone signs your key in this manner, you can add it to the Debian
keyring by doing:
<pre>
gpg --import --import-options merge-only mysigned.key
gpg --keyserver keyring.debian.org --send-keys <var><your key id></var>
</pre>
<p>It may take a while for the keyring maintainers to update your key so
be patient. You should also upload your updated key to the public
keyservers.</p>
</li>
</ul>
<p>The <a href="https://packages.debian.org/signing-party">signing-party</a>
Debian package provides some tools to help you with
this process. <tt>gpg-key2ps</tt> turns a GnuPG key into a PostScript
file to print paper slips with your fingerprint, and
<tt>gpg-mailkeys</tt> will email a signed key to its author. The package
also includes <tt>caff</tt> which is a more advanced tool. See the
package documentation for more information.</p>
<h3>What you should not do</h3>
<p>You should never sign a key for somebody else you haven't met
personally. Signing a key based on anything other than first-hand
knowledge destroys the utility of the Web of Trust. If ones friend
presents other developers with your ID card and your fingerprint, but
you are not there to verify that the fingerprint belongs to you, what
do other developers have to link the fingerprint to the ID? They have
only the friend's word, and the other signatures on your key -- this
is no better than if they signed your key just because other people
have signed it!
</p>
<p>It is nice to get more signatures on ones key, and it is tempting
to cut a few corners along the way. But having trustworthy signatures
is more important than having many signatures, so it's very important
that we keep the keysigning process as pure as we can. Signing
someone else's key is an endorsement that you have first-hand evidence
of the keyholder's identity. If you sign it when you don't really
mean it, the Web of Trust can no longer be trusted.
</p>
|
