Having attended FOSDEM last weekend, I have been asked to help some people out with signing PGP keys. As it is an international gathering of users and developers of all levels of expertise, it's a great event to get your key out in to the wild. While helping people out, I figured it might be even easier next time around to just refer to a small tutorial on my blog instead.
Creating a PGP key
The first step to sign keys, is to have a PGP key. If you already have one,
you're good to go to the next part of this tutorial. If you don't, you can check
gpg manual on how to create a key, or read about key creation in my
article on using PGP with a Yubikey. While I would
strongly suggest reading at least some material,
gpg does quite a good job of
guiding you through the process without prior knowledge, so you can just get
gpg --generate-key as well.
Create key slips
A key slip is a small piece of paper containing some basic information about the PGP key. They're exchanged when people meet, so they don't have to immediately sign the key, but can do it safely at home. When you're signing in a group, this may be faster to work with. Another benefit is that some people don't have their private keys with them. They can then just collect the key slips from the people who's key they want to sign, and sign it whenever they are in possession of their private key again.
A key slip doesn't have to contain much. A key ID, fingerprint, email address and a name is plenty. For reference, my key slips look as follows:
Verifying the owner
Before you sign anyone's public key, you should verify that the person is actually who they say they are. You can easily do this by asking for government issued identification, such as an ID card, driver's license or passport. What constitutes good proof is up to you, but in general people expect at least one form of government issued identification.
If the person can't verify who they are, you should not sign their key!
Retrieving their key
Once you have verified the person is who they say they are, and you have
received their key slip containing their key ID, you can look up their key
online. You can let
gpg do all the work for you in searching and downloading
the key, using the
--search switch. For instance, to retrieve my key, do the
If a result has been found, you are prompted to enter the numbers of the keys you want to download. Make sure you download the right key, in case multiple have been found!
After retrieving the key, you can see it in the list of all the keys
Signing their key
To actually sign their key, and show that you trust that the key belongs to the
person's name attached to it, you can use
You will be prompted whether you are sure you want to sign. You should answer
this with a single
y to continue.
After signing it, you'll have signed a PGP key! You can verify this by looking
at the signatures on a given key with
--list-sigs 0x7A6AC285E2D98827. This should
contain your name and key ID.
Exchanging the signed key
While you could publish the updated public key with your signature on it, you should not do this! You should encrypt the updated public key and send it to the person that owns the private key, and they should upload it themselves. One reason for this is that it allows you to safely verify that they do in fact actually own the private key as well, without ever asking them explicitly to show you their private key.
To export the public key, use
--armor option is used to export the key as base64, instead of binary
You can attach this file to an email, and let your email client encrypt the entire email and all attachments for they key ID. How you can do this depends on your email client, so you should research how to do this properly in the documentation for it.
However, it's also possible to encrypt the public key file before adding it as an attachment, in case you don't know how to let your email client do it (or if you don't trust your email client to do it right).
You can use the
--encrypt option for this, and add a
--recipient to encrypt
it for a specific key.
Now you can use this encrypted key file and share it with the owner of the key.
If the person you send it to really is the owner of the key, they can use the
private key to decrypt the file, import it with
gpg --import and then publish
Once all this is done, other people should have sent you your signed pubkey as well, and you should have published your updated key with the new signatures. Now you can start using PGP signatures and encryption for your communication with the world. People who have not signed your key can see that there's other people that do trust your key, and they can use that information to deduce that whatever's signed with your key really came from you, and that anything they encrypt with your public key can only be read by you.
With this trust, you can make communication and data exchange in general more secure.