This is a copy of the post which could be found at http://commandline.org.uk/command-line/2007/sep/7/ten-steps-for-attending-a-keysigning-party/. The original post appears to have disappeared into the ether and the URL now returns a 404. This work is not my own and I'm not trying to claim it as such, I just link to it in a few places and want a permanent archive of the work. Thanks to Vic Demuzere who let me know that the work I was linking to had gone missing.

Update: the original post appears to be archived at http://old.commandline.org.uk/command-line/ten-steps-for-attending-a-keysigning-party/.

A key signing party can be an event of its own, or it might be at a user group meeting, or at a conference, or at a workplace. The idea is to increase the 'web of trust' and thus strengthen the system as a whole, as well as making your own key more trusted. Alex Willmer explains what you need to do to participate in a key signing party, using GNU Privacy Guard.

You can use either the command line gpg tool or a GUI front end such as seahorse. The command line approach goes as follows:/p>

0. Generate a key

If you've not already done so, generate a key pair:

$ gpg --gen-key

1. Get your key ID

Find your public key, by typing this:

$ gpg --list-keys

This gives the results as below, the uid should match your name and chosen email address. Note the id, on the line labelled 'pub':

> /home/alex/.gnupg/pubring.gpg
-----------------------------
pub 1024D/5A6F95BE 2007-02-08
uid Alex Willmer <alex at moreati.org.uk>
sub 2048g/63329941 2007-02-08

2. Upload your key

Publish your public key to a keyserver, use the keyserver option:

$ gpg --keyserver ldap://keyserver.pgp.com --send-keys 5A6F95BE

Which should respond as follows:

> gpg: sending key 5A6F95BE to ldap server keyserver.pgp.com

3. Print your key fingerprint

Type the following, using the id from step 1.

$ gpg --fingerprint 5A6F95BE

The result is the fingerprint of your public key:

> pub 1024D/5A6F95BE 2007-02-08
Key fingerprint = C9CD 3335 C138 7291 2022 F30D 2E51 C57B 5A6F 95BE
uid Alex Willmer <alex at moreati.org.uk>
sub 2048g/63329941 2007-02-08

Print your fingerprint onto paper, you should be able to get quite a few on a page, which you can then cut into slips. This also may be achieved with the command gpg-key2ps.

4. Go to the party!

Bring the slips and credentials that prove your identity to the key signing party. Normally parties require you to bring credentials that include a photo (e.g. your passport or drivers licence).

5. Give out slips

Give a fingerprint slip to anybody you wish to sign your key, and allow them to verify your identity using your credentials.

6. Take slips

Verify in person, the identity of anybody you accept a slip from. Ensure the slip has a uid matching their name.

Note that it is anti-social to take slips and just throw them away or forget about them. If you take a slip from someone then it is polite to actually use it by doing steps 7+8.

7. Verify the key fingerprints of your acquaintances

Once home, using the id from each slip, download and verify the fingerprint of each person's key:

$ gpg --keyserver ldap://keyserver.pgp.com --recv-keys [key_id]
$ gpg --fingerprint [key_id]

8. Upload your acquaintances' keys

Sign each of the verified keys, upload them to a keyserver:

$ gpg --sign-key [key_id]
$ gpg --keyserver ldap://keyserver.pgp.com --send-key [key_id]

9. Use GPG!

You can now sign emails and anybody who signed your key can verify that email was sent by you and has not been modified. Additionally, you can encrypt anything you send to a person whose key you have signed.

10. Advanced usage

There are optional, additional steps such as encrypting a signed key and sending it to the listed uid. By receiving the signed key and decrypting it, they prove access to the email address and control of the private key.

More Information

written by
Craig
published
2011-07-10
Disagree? Found a typo? Got a question?
If you'd like to have a conversation about this post, email craig@barkingiguana.com. I don't bite.
You can verify that I've written this post by following the verification instructions:
curl -LO http://barkingiguana.com/2011/07/10/reposted-ten-steps-for-attending-a-keysigning-party.html.orig
curl -LO http://barkingiguana.com/2011/07/10/reposted-ten-steps-for-attending-a-keysigning-party.html.orig.asc
gpg --verify reposted-ten-steps-for-attending-a-keysigning-party.html.orig{.asc,}