Since a lot of developers meet at trade shows or conferences they have become a nice way to get other people sign ones GnuPG key and improve the web of trust. Especially for people who are new to the project, keysigning and meeting other developers has been very interesting.
This document intends to help you with running a keysigning
session. Note that all examples use
the keyserver. If the key in question is not in the Debian keyring,
keyring.debian.org with a public
wwwkeys.pgp.net (which despite the name
also stores GnuPG keys.)
People should only sign a key under at least two conditions:
- The key owner convinces the signer that the identity in the UID is indeed their own identity by whatever evidence the signer is willing to accept as convincing. Usually this means the key owner must present a government issued ID with a picture and information that match up with the key owner. (Some signers know that government issued ID's are easily forged and that the trustability of the issuing authorities is often suspect and so they may require additional and/or alternative evidence of identity).
- The key owner verifies that the fingerprint and the length of the key about to be signed is indeed their own.
Most importantly, if the key owner is not actively participating in the exchange, you won't be able to complete either requisite 1 or 2. Nobody can complete the key owner's part of requisite 1 on the key owner's behalf, because otherwise anyone with a stolen ID card could easily get a PGP key to go with it by pretending to be an agent of the keyowner. Nobody can complete the key owner's part of requisite 2 on the key owner's behalf, since the agent could substitute the fingerprint for a different PGP key with the key owner's name on it and get someone to sign the wrong key.
- You need printed out GnuPG fingerprints, key lengths and an identity card to prove your identity (passport, drivers license or similar).
- The fingerprints and key lengths are given to other people who ought to sign your key after the meeting.
- If you don't have a GnuPG key yet, create one with
- Only sign a key if the identity of the person whose key to sign is proven.
- After the meeting you'll have to fetch the GnuPG key in order to
sign it. The following may help:
gpg --keyserver keyring.debian.org --recv-keys 0xDEADBEEF
Note that we can use the last eight hex digits of the fingerprint in this and other GnuPG operations. The 0x in front is also optional.
- To sign the key, enter the edit menu with
gpg --edit-key 0xDEADBEEF
- In GnuPG select all uids to sign with
uid n, where
nis the number of the uid shown in the menu. You can also press enter to sign all the uids.
- To sign a key, enter
sign. You will then be shown the fingerprint and length of they key which you have to compare with the one you've got from the person you met.
- When asked for the level of certification, choose "casual".
- Quit GnuPG with
- To verify you have signed the key correctly, you can do:
gpg --list-sigs 0xDEADBEEF
You should see your own name and fingerprint (in short form) in the output.
- Once everything looks good, you can send the signed key to
its recipient by doing:
gpg --export -a 0xDEADBEEF > someguys.key
-aoption exports the key in ASCII format so it can be emailed without the possibility of corruption.
- If someone signs your key in this manner, you can add it to the Debian
keyring by doing:
gpg --import --import-options merge-only mysigned.key gpg --keyserver keyring.debian.org --send-keys <your key id>
It may take a while for the keyring maintainers to update your key so be patient. You should also upload your updated key to the public keyservers.
The signing-party Debian package provides some tools to help you with this process. gpg-key2ps turns a GnuPG key into a PostScript file to print paper slips with your fingerprint, and gpg-mailkeys will email a signed key to its author. The package also includes caff which is a more advanced tool. See the package documentation for more information.
What you should not do
You should never sign a key for somebody else you haven't met personally. Signing a key based on anything other than first-hand knowledge destroys the utility of the Web of Trust. If ones friend presents other developers with your ID card and your fingerprint, but you are not there to verify that the fingerprint belongs to you, what do other developers have to link the fingerprint to the ID? They have only the friend's word, and the other signatures on your key -- this is no better than if they signed your key just because other people have signed it!
It is nice to get more signatures on ones key, and it is tempting to cut a few corners along the way. But having trustworthy signatures is more important than having many signatures, so it's very important that we keep the keysigning process as pure as we can. Signing someone else's key is an endorsement that you have first-hand evidence of the keyholder's identity. If you sign it when you don't really mean it, the Web of Trust can no longer be trusted.