This is a copy of the post originally found at http://commandline.org.uk/command-line/2007/sep/7/ten-steps-for-attending-a-keysigning-party/. The original appears to have vanished and the URL now returns a 404. This work is not mine and I'm not trying to claim it as such — I linked to it in a few places and wanted a permanent archive. Thanks to Vic Demuzere who let me know the link had gone dead.
Update: the original post appears to be archived at http://old.commandline.org.uk/command-line/ten-steps-for-attending-a-keysigning-party/.
A key signing party can be an event of its own, or it might happen at a user group meeting, a conference, or a workplace. The idea is to grow the "web of trust" and strengthen the system as a whole, while also making your own key more trusted. Alex Willmer explains what you need to do to participate in a key signing party using GNU Privacy Guard.
You can use either the command line gpg tool or a GUI front end such as Seahorse. The command line approach goes as follows:
0. Generate a key
If you haven't already done so, generate a key pair:
$ gpg --gen-key1. Get your key ID
Find your public key:
$ gpg --list-keysThis gives results like the below. The uid should match your name and chosen email address. Note the id on the line labelled "pub":
> /home/alex/.gnupg/pubring.gpg
-----------------------------
pub 1024D/5A6F95BE 2007-02-08
uid Alex Willmer <alex at moreati.org.uk>
sub 2048g/63329941 2007-02-082. Upload your key
Publish your public key to a keyserver:
$ gpg --keyserver ldap://keyserver.pgp.com --send-keys 5A6F95BEWhich should respond:
> gpg: sending key 5A6F95BE to ldap server keyserver.pgp.com3. Print your key fingerprint
Using the id from step 1:
$ gpg --fingerprint 5A6F95BEThe result is the fingerprint of your public key:
> pub 1024D/5A6F95BE 2007-02-08
Key fingerprint = C9CD 3335 C138 7291 2022 F30D 2E51 C57B 5A6F 95BE
uid Alex Willmer <alex at moreati.org.uk>
sub 2048g/63329941 2007-02-08Print your fingerprint onto paper — you should be able to fit quite a few on a page, which you can then cut into slips. You can also generate these with the command gpg-key2ps.
4. Go to the party!
Bring the slips and credentials that prove your identity. Normally parties require photo ID (e.g. your passport or driving licence).
5. Give out slips
Give a fingerprint slip to anybody you'd like to sign your key, and allow them to verify your identity using your credentials.
6. Take slips
Verify in person the identity of anybody you accept a slip from. Make sure the slip has a uid matching their name.
Note: it's anti-social to take slips and then throw them away or forget about them. If you take a slip from someone, it's polite to actually follow through with steps 7 and 8.
7. Verify the key fingerprints of your acquaintances
Once you're home, use the id from each slip to download and verify each person's key fingerprint:
$ gpg --keyserver ldap://keyserver.pgp.com --recv-keys [key_id]$ gpg --fingerprint [key_id]8. Sign and upload your acquaintances' keys
Sign each verified key and upload it to a keyserver:
$ gpg --sign-key [key_id]$ gpg --keyserver ldap://keyserver.pgp.com --send-key [key_id]9. Use GPG!
You can now sign emails, and anybody who signed your key can verify that the email was sent by you and hasn't been modified. You can also encrypt anything you send to a person whose key you've signed.
10. Advanced usage
There are optional additional steps, such as encrypting a signed key and sending it to the listed uid. By receiving the signed key and decrypting it, they prove access to the email address and control of the private key.