What is a key-signing party?
A key-signing party is a get together with GnuPG/PGP users for the purpose of
meeting other GnuPG/PGP users and signing each other's keys. This
extends the Web of Trust that GnuPG/PGP relies upon. At the February
CerritosLUG meeting there will be a party for all participants.
Anyone and everyone is invited.
We sign keys because GnuPG/PGP is based upon a Web of Trust. This
web of trust is what ensures that nobody can pretend to be you and that
you can really believe that a message you receive from Bob is really from
Bob. The more deep and tightly inter-linked the web of trust is, the
more difficult it is to defeat.
What do I need to bring?
- You (physical attendance is absolutely required)
- One or more forms of identification
- Drivers License
- School ID
- Library Card
- Your key ID, Type, fingerprint and size
- A pen or pencil
- NO COMPUTER
What do I do BEFORE the party?
Email a copy of your public key
If you do not have a gpg key or do not yet have it installed,
more information is below.
The commands you should use look something like this:
$ gpg --fingerprint [emailaddress]
pub 1024D/123ABC4D 2001-03-28 Your Name <firstname.lastname@example.org>
Key fingerprint = 3380 B5DC 0568 A909 DAFD 89E7 3B4D 9DD4 123A BC4D
sub 1024g/567EFG8H 2001-03-28 [expires: 2002-03-28]
Make a note of your key ID, it is the part following
pub 1024D/". The 1024D is the key Size and Type, the part
after the slash is the key ID and the fingerprint should be obvious.
$ gpg --fingerprint [KEYID] > pubkey.txt
$ gpg --armor --export [KEYID] >> pubkey.txt
The command that I used is below. My Key ID is AE127015. You
may also use the email address you entered during key creation to find out
your key ID. By the way, the key ID is not case sensitive. AE127015 is the
same as ae127015 to gnupg.
$ gpg --fingerprint AE127015 > pubkey.txt
$ gpg --armor --export AE127015 >> pubkey.txt
Cut/paste the contents of that file into an email. Please do not
send it as an attachment. You may view mine
or the one of the original author of this page
This is going to be a keyring style party where I email a copy of
a keyring to all the participants. That makes it slightly more complicated
than a keyserver based party but I feel the added control is worthwhile.
Furthermore there are those who are concerned about the "public public-key"
Print out a copy of the --fingerprint output. You must bring this
to the February CerritosLUG meeting.
What do I do DURING the party?
A worksheet for everyone at the party will be prepared. It will list
the fingerprints of every key I received in time for the party.
Phase one: Consists of key identification. In the order
on the sheet each of us will stand and read our own fingerprint
from the copy we brought. Reading the fingerprint consists of reading your
key size, type, ID and fingerprint. There will be checkboxes down the side
of the sheet, two next to each fingerprint. The first box is checked off as
each person reads their key.
Phase two: we will form a big conga line.
The first person will turn around and walk down the line examining
identification and checking the second box on the paper if it matches
to their satisfaction. The amount of
evidience required to "Positively ID" an individual is a personal choice.
Whatever it takes to convince you that the person you see really is the person
identified by that key is sufficient. A passport and drivers license is often
touted as a good combination but you have to make up your own mind. Remember
that when you sign a key, you are telling the world that you believe
and trust that the key belongs to that person.
What do I do AFTER the party?
After the party you will receive a rather large email containing the
keyring from the party. This is the really time consuming part that will
test your mettle. You must run the following command for every key on the
$ gpg --no-default-keyring --keyring ./cerritoslug.gpg --sign-key [KEYID]
You will be prompted with the fingerprint of the key to compare against
the printout you checked off. It is very important that you compare the two.
If it all checks out, answer "Yes" and you will be prompted for your
passphrase. Once you enter it, you are certifying to the world that
the key really belongs to the person you met at the party. Note: this is
the secret passphrase for YOUR key.
Once you have completed doing that to each of the keys on the ring, mail
a copy back to Todd (me). He will compile all the signatures and send the
final ring with all signatures to all participants. When you receive the
final set of keys, all you need to do is import them. At your option you may
upload your signed key to a keyserver. Please note that it is
considered poor form to upload
someone else's key to a keyserver without their permission.
I don't have GPG/I don't have a GPG Key!
You could use the summary instructions in
The Keysigning Party HOWTO or read up on GnuPG at the official site.
If this is your first time using GnuPG, you are STRONGLY urged to read
the documentation at GnuPG.org.
Also, consider setting an expiration date on your first key of a few
years. That way any potential mistakes that you make while learning
will eventually go away when the key expires.