Mechanics of a Keysigning Party
Here's the mechanics of keysigning, with a very brief explanation. The text «between double angle brackets, in red» is variable. The rest should be typed as shown.
BEFORE the keysigning party:
sudo apt-get update sudo apt-get install gnupg gpg --gen-key gpg --output «revoke».asc --gen-revoke «email@example.com» gpg --export --armor «firstname.lastname@example.org» \ > «my_public_key».asc gpg --keyserver random.sks.keyserver.penguin.de \ --send-keys «email@example.com» gpg --fingerprint «firstname.lastname@example.org» > «my_fingerprint».txt lp «my_fingerprint».txt
First, you install gnupg. Then, you generate your public/private key pair. (In the above example, I've assumed the e-mail address you supplied when asked was «email@example.com».) In addition, you create a "revocation certificate" file (revoke.asc) which can be used to revoke your key in case it becomes compromised. The next step creates an ASCII version of your public key (my_public_key.asc) that you can then e-mail to others, or make available on a web site. Keep it handy. Next, you send the public key to a keyserver so that others can look it up. Finally, you get a printout of your fingerprint (my_fingerprint.txt). This is what you'd bring multiple copies of to a keysigning party, along with your government ID.
In most instances above, you can use either your e-mail address or your actual Key ID, which is the last 8 hex digits of your fingerprint. (If one doesn't work, try the other.)
The printout of the file «my_fingerprint».txt should look something like:
pub 1024D/E6F332C7 2002-04-16 Key fingerprint = 75E2 0A77 FC0C 2128 F3B3 AA07 87CE F4D8 E6F3 32C7 uid My Name <firstname.lastname@example.org> sub 2048g/8B2232AD 2002-04-16
AT the keysigning party:
Leave your computer turned off, or don't bring it. You should take care of actually signing keys in a private setting, where prying eyes can't watch you type your pass phrase. (It may seem a bit anal and paranoid, but since you're joining a web of trust, and others have determined what constitutes "trust", you should try to stick to the rules. Otherwise, the level of trust people place in each others keys can be compromised.)
Hand out your copies of your fingerprint, and collect the fingerprints of the other participants. Then, pair off with someone and exchange government ID's, After both of you are satisfied that with each others identity, and that the fingerprints came from each other, move on to the next person.
AFTER the keysigning party:
Take your verified fingerprints back to your computer, get each person's public key (if you don't already have it), sign it with your key, export it and send it to both a keyserver and the owner of the key.
gpg --keyserver random.sks.keyserver.penguin.de \ --recv-keys «8-digit hexadecimal public key ID» gpg --edit-key «8-digit hexadecimal public key ID» sign save gpg --export --armor «8-digit hexadecimal public key ID» \ > «someones_public_key».asc gpg --keyserver random.sks.keyserver.penguin.de \ --send-keys «8-digit hexadecimal public key ID»
Send the file someones_public_key.asc back to the owner as an attachment and repeat. As you receive mail from others with their signing of your key, save the attachment (as my_public_key.asc, for example) and import it into your keyring.
gpg --import «my_public_key.asc»
See the resources listed at the end of the previous page for deeper, longer, and probably better explanations.