[Wlug] Follow-Up to Key Signing Party

Jamie Guinan guinan at bluebutton.com
Thu May 17 15:37:07 EDT 2007 

On Thu, 17 May 2007, Eric Martin wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thanks to everyone who showed up to tonight's key signing party.  Now
> that we verified everybody had the correct key info and identification,
> we actually have to sign each other's keys.  We are using the keyserver
> pgp.mit.edu.  If that isn't your default, you can set it either in
> ~/.gnupg/gpg.conf or at the command line for each command by using the
> argument
> - --keyserver pgp.mit.edu

Is the "hkp://" prefix needed in gpg.conf?

keyserver hkp://pgp.mit.edu  


> Below is an excerpt from the gpg Key Signing Party HowTo that explains
> things in detail.(http://www.rubin.ch/pgp/kspa/gpg-party.en.html#ss3.8):
> 
> 3.8 How to sign others' keys
> 
> Step 1: Get a copy of the key
> 
> Normally, you'll be working from a keyserver. However if you are signing
> the key that is not available on a keyserver, you can use simply import
> the key with gpg --import. If you are working with a keyserver, the
> following command will download the key from the keyserver into your
> public keyring.
> 
> bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>
> 
> If you get a read error, it means the keyserver is overloaded. Please,
> try again in a few seconds.

That worked Ok.

> 
> Step 2: Fingerprint and Verify the key
> 
> bash$ gpg --fingerprint <Key_ID>

That too.

> GPG will print out the fingerprint of the Key with <Key_ID > (the key
> you just downloaded). Check the fingerprint against the checklist that
> you where given at the party. Note: Don't check the fingerprint on your
> checklist against the fingerprint on the web page as the server may not
> send you the same key it displays on the web page.
> 
> Step 3: Sign the key
> 
> bash$ gpg --sign-key <Key_ID>

Ok.

> 
> If you have multiple private keys, you can specify which of your private
> keys to sign the other persons public key with like this:
> 
> bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>
> 
> Step 4: Return or Upload the signed key
> 
> If you are working with an entity which does not want their key on a
> public keyserver, you should at this point you should return their
> signed key back to them by their method of choice - normally encrypted
> email. You should not send a public key to a keyserver with out the
> permission of the key's owner. Publicizing a public key slightly reduces
> the security of a key pair, therefor it is considered rude to make a key
> more public than its owner desires.
> 
> Most likely you are working with a keyserver. If that is the case, you
> can send the signed key back to the keyserver like this:
> 
> bash$ gpg --keyserver <keyserver> --send-key <Key_ID>
> 
> You should see a success message like this:
> 
> gpg: success sending to `<keyserver>' (status=200)
> Congratulations, the signature of the other entity's key is now complete
> and your signature has been incorporated into their public key. A trust
> path has been established.

This looked different for me,

  $ gpg --send-key A9413B9F
  gpg: sending key A9413B9F to hkp server pgp.mit.edu
  $ 

No affirmative response, it just returned to the prompt.  But the exit 
code was 0.

  $ echo $?
  0

-Jamie [ not yet using gpg for mail ]

More information about the Wlug mailing list