Skip to content

Instantly share code, notes, and snippets.

@F21
Last active September 2, 2024 10:21
Show Gist options
  • Save F21/b0e8c62c49dfab267ff1d0c6af39ab84 to your computer and use it in GitHub Desktop.
Save F21/b0e8c62c49dfab267ff1d0c6af39ab84 to your computer and use it in GitHub Desktop.
Signing someone's GPG key

This is a quick guide of the commands we use to sign someone's GPG key in a virtual key signing party.

Note: The steps cover only the technical aspects of signing someone's key. Before signing someone's key, you must verify their identity. This is usually done by showing government-issued ID and confirming the key's fingerprint

The commands will work for both GPG and GPG2.

I use Julian's key for the examples. His key id is 2AD3FAE3. You should substitute with the appropriate key id when running the commands.

Signing the key

  1. List the keys currently in your keyring: gpg --list-keys.

  2. I want to sign Julian's key, so I pull it into my keyring: gpg --recv-keys 2AD3FAE3. If Julian's key is already in my keyring, it's a good idea to pull it again, so that my keyring is up to date.

    1. If the default keyserver (keys.gnupg.net) is not responsive, use the MIT or Ubuntu keyserver: gpg --keyserver pgp.mit.edu --recv-keys 2AD3FAE3 or gpg --keyserver keyserver.ubuntu.com --recv-keys 2AD3FAE3
  3. I then sign Julian's key: gpg --sign-key 2AD3FAE3. If a GPG agent is not running, you will be prompted for your private key's passphrase.

  4. After signing, the key, I will then encrypt the signed key with Julian's public key (you will be asked for your passphrase to sign it as well, so that the receiver can verify that you are the sender):

gpg -a --export 2AD3FAE3 | gpg -se -r 2AD3FAE3 > ~/tmp/2AD3FAE3.asc.pgp
  1. I then email 2AD3FAE3.asc.gpg to Julian. In this case, I email it to the address in his key ([email protected]) as the key states that he controls that address.

  2. Once Julian receives the encrypted message, he decrypts it and imports it into his keyring:

gpg --decrypt 2AD3FAE3.asc.pgp
gpg --import 2AD3FAE3.asc
  1. He can then send his key with the attached signatures to the various keyservers:
gpg --send-keys 2AD3FAE3
gpg --keyserver pgp.mit.edu --send-keys 2AD3FAE3
gpg --keyserver keyserver.ubuntu.com --send-keys 2AD3FAE3
  1. The keyserver will merge his signature with those available for hiss key. Wait a few moments for the merging to complete and check that everything worked by visiting the following:
https://keyserver.ubuntu.com/pks/lookup?search=0xDDB6E9812AD3FAE3&op=vindex
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDDB6E9812AD3FAE3
https://keyserver.ntzwrk.org/pks/lookup?op=vindex&fingerprint=on&search=0xDDB6E9812AD3FAE3

I can see my signature for Julian's key on all those servers, so that means his key was signed correctly.

Sending the keys directly to the keyservers instead of having the owner upload them (NOT RECOMMENDED!)

NOTE: According to this blog post, pushing the signed key directly to the keyserver is not good practice, because it does not prove ownership of the key.

After finishing step 3 of the previous instructions:

  1. Send the keys to the GNU, MIT and Ubuntu keyservers directly:
gpg --send-keys 2AD3FAE3
gpg --keyserver pgp.mit.edu --send-keys 2AD3FAE3
gpg --keyserver keyserver.ubuntu.com --send-keys 2AD3FAE3
  1. The keyserver will merge our signature with those available for Julian's key. Wait a few moments for the merging to complete and check that everything worked by visiting the following:
https://keyserver.ubuntu.com/pks/lookup?search=0xDDB6E9812AD3FAE3&op=vindex
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDDB6E9812AD3FAE3
https://keyserver.ntzwrk.org/pks/lookup?op=vindex&fingerprint=on&search=0xDDB6E9812AD3FAE3

I can see my signature for Julian's key on all those servers, so that means his key was signed correctly.

Updating your key in the KEYS file

If you are a PMC member, update or add your key to the KEYS file at http://www.apache.org/dist/calcite/KEYS.

To generate the appropriate output, run: gpg --list-sigs 2AD3FAE3 && gpg --armor --export 2AD3FAE3.

Paste the output into the KEYS files and commit it to the SVN repo by following these instructions.

@coldtobi
Copy link

coldtobi commented May 13, 2022

The current practice is to send the signed key to the keyserver. I prefer to sent it to the GNU, MIT and Ubuntu keyservers:

no, this is bad practice.
DO NOT send the signatures to the keyserver yourself, send the signature as encrypted mail to the uid of the key.
(This ensures that the UID has indeed control of the key. )
Tool-recommendation for signing is "caff" (It is in Debian/Ubuntu package signing-party)
https://wiki.debian.org/caff

I'd suggest to make that more clear, e.g by reprashing.

@F21
Copy link
Author

F21 commented May 13, 2022

Thanks for the suggestion! Instructions have been updated. caff looks like a great tool for this; will have to investigate and write up instructions for it.

@fsundermeyer
Copy link

Thank you for these very useful instructions!
While using them I noticed that (at least on openSUSE) gpg --decrypt 2AD3FAE3.asc.pgp writes the key to STDOUT. The following one-liner worked for me instead:

gpg --decrypt 2AD3FAE3.asc.pgp | gpg --import -

@starbops
Copy link

I was wondering why I can't see the key's signatures which was downloaded from the keyserver. There're just only self-sigs.

For example, A is signing B's key.

A:

gpg --keyserver keyserver.ubuntu.com --recv-keys BBBBBBBB
gpg --sign-key BBBBBBBB
gpg --keyserver keyserver.ubuntu.com --send-keys BBBBBBBB

B:

gpg --refresh-keys BBBBBBBB
gpg --check-sigs BBBBBBBB
<shows only self-sigs, no A's signature>

I knew it's not recommended sending the signed key directly to the keyserver by A (thanks to @coldtobi), but the question is still there. Seems the signatures cannot be downloaded from keyserver though they're shown on the keyserver's web interface.

@CorySanin
Copy link

Answering for posterity. If your signer(s) did it the "wrong way," the only way to import the signatures is to download your public key through the web interface and --import it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment