This is a quick guide of the commands we use to sign someone's GPG key in a virtual key signing party.
Note: The steps cover only the technical aspects of signing someone's key. Before signing someone's key, you must verify their identity. This is usually done by showing government-issued ID and confirming the key's fingerprint
The commands will work for both GPG and GPG2.
I use Julian's key for the examples. His key id is 2AD3FAE3
. You should substitute with the appropriate key id when running the commands.
-
List the keys currently in your keyring:
gpg --list-keys
. -
I want to sign Julian's key, so I pull it into my keyring:
gpg --recv-keys 2AD3FAE3
. If Julian's key is already in my keyring, it's a good idea to pull it again, so that my keyring is up to date.- If the default keyserver (
keys.gnupg.net
) is not responsive, use the MIT or Ubuntu keyserver:gpg --keyserver pgp.mit.edu --recv-keys 2AD3FAE3
orgpg --keyserver keyserver.ubuntu.com --recv-keys 2AD3FAE3
- If the default keyserver (
-
I then sign Julian's key:
gpg --sign-key 2AD3FAE3
. If a GPG agent is not running, you will be prompted for your private key's passphrase. -
After signing, the key, I will then encrypt the signed key with Julian's public key (you will be asked for your passphrase to sign it as well, so that the receiver can verify that you are the sender):
gpg -a --export 2AD3FAE3 | gpg -se -r 2AD3FAE3 > ~/tmp/2AD3FAE3.asc.pgp
-
I then email
2AD3FAE3.asc.gpg
to Julian. In this case, I email it to the address in his key ([email protected]
) as the key states that he controls that address. -
Once Julian receives the encrypted message, he decrypts it and imports it into his keyring:
gpg --decrypt 2AD3FAE3.asc.pgp
gpg --import 2AD3FAE3.asc
- He can then send his key with the attached signatures to the various keyservers:
gpg --send-keys 2AD3FAE3
gpg --keyserver pgp.mit.edu --send-keys 2AD3FAE3
gpg --keyserver keyserver.ubuntu.com --send-keys 2AD3FAE3
- The keyserver will merge his signature with those available for hiss key. Wait a few moments for the merging to complete and check that everything worked by visiting the following:
https://keyserver.ubuntu.com/pks/lookup?search=0xDDB6E9812AD3FAE3&op=vindex
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDDB6E9812AD3FAE3
https://keyserver.ntzwrk.org/pks/lookup?op=vindex&fingerprint=on&search=0xDDB6E9812AD3FAE3
I can see my signature for Julian's key on all those servers, so that means his key was signed correctly.
Sending the keys directly to the keyservers instead of having the owner upload them (NOT RECOMMENDED!)
NOTE: According to this blog post, pushing the signed key directly to the keyserver is not good practice, because it does not prove ownership of the key.
After finishing step 3 of the previous instructions:
- Send the keys to the GNU, MIT and Ubuntu keyservers directly:
gpg --send-keys 2AD3FAE3
gpg --keyserver pgp.mit.edu --send-keys 2AD3FAE3
gpg --keyserver keyserver.ubuntu.com --send-keys 2AD3FAE3
- The keyserver will merge our signature with those available for Julian's key. Wait a few moments for the merging to complete and check that everything worked by visiting the following:
https://keyserver.ubuntu.com/pks/lookup?search=0xDDB6E9812AD3FAE3&op=vindex
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDDB6E9812AD3FAE3
https://keyserver.ntzwrk.org/pks/lookup?op=vindex&fingerprint=on&search=0xDDB6E9812AD3FAE3
I can see my signature for Julian's key on all those servers, so that means his key was signed correctly.
If you are a PMC member, update or add your key to the KEYS
file at http://www.apache.org/dist/calcite/KEYS.
To generate the appropriate output, run: gpg --list-sigs 2AD3FAE3 && gpg --armor --export 2AD3FAE3
.
Paste the output into the KEYS
files and commit it to the SVN repo by following these instructions.
no, this is bad practice.
DO NOT send the signatures to the keyserver yourself, send the signature as encrypted mail to the uid of the key.
(This ensures that the UID has indeed control of the key. )
Tool-recommendation for signing is "caff" (It is in Debian/Ubuntu package signing-party)
https://wiki.debian.org/caff
I'd suggest to make that more clear, e.g by reprashing.