Skip to content

Instantly share code, notes, and snippets.

@nvk
Forked from F21/signing-gpg-keys.md
Created June 26, 2019 13:33
Show Gist options
  • Save nvk/289f8b2cb08328b2929f18a3a6203e07 to your computer and use it in GitHub Desktop.
Save nvk/289f8b2cb08328b2929f18a3a6203e07 to your computer and use it in GitHub Desktop.
Signing someone's GPG key

This is a quick guide of the commands we use to sign someone's GPG key in a virtual key signing party.

Note: The steps cover only the technical aspects of signing someone's key. Before signing someone's key, you must verify their identity. This is usually done by showing government-issued ID and confirming the key's fingerprint

The commands will work for both GPG and GPG2.

I use Julian's key for the examples. His key id is 2AD3FAE3. You should substitute with the appropriate key id when running the commands.

Signing the key

  1. List the keys currently in your keyring: gpg --list-keys.

  2. I want to sign Julian's key, so I pull it into my keyring: gpg --recv-keys 2AD3FAE3. If Julian's key is already in my keyring, it's a good idea to pull it again, so that my keyring is up to date.

    1. If the default keyserver (keys.gnupg.net) is not responsive, use the MIT or Ubuntu keyserver: gpg --keyserver pgp.mit.edu --recv-keys 2AD3FAE3 or gpg --keyserver keyserver.ubuntu.com --recv-keys 2AD3FAE3
  3. I then sign Julian's key: gpg --sign-key 2AD3FAE3. If a GPG agent is not running, you will be prompted for your private key's passphrase.

  4. The current practice is to send the signed key to the keyserver. I prefer to sent it to the GNU, MIT and Ubuntu keyservers:

gpg --send-keys 2AD3FAE3
gpg --keyserver pgp.mit.edu --send-keys 2AD3FAE3
gpg --keyserver keyserver.ubuntu.com --send-keys 2AD3FAE3
  1. The keyserver will merge our signature with those available for Julian's key. Wait a few moments for the merging to complete and check that everything worked by visiting the following:
https://keyserver.ubuntu.com/pks/lookup?search=0xDDB6E9812AD3FAE3&op=vindex
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDDB6E9812AD3FAE3
https://keyserver.ntzwrk.org/pks/lookup?op=vindex&fingerprint=on&search=0xDDB6E9812AD3FAE3

I can see my signature for Julian's key on all those servers, so that means his key was signed correctly.

Having the owner of the signed key upload the key himself

NOTE: According to this blog post, pushing the signed key directly to the keyserver is not good practice, because it does not prove ownership of the key.

A good idea would be to encrypt the signed key using Julian's public key and email it to him. He will then decrypt the signed key (proving that he has access to the secret key) and then upload it to the keyservers himself.

To encrypt the signed key (you will be asked for your passphrase to sign it as well, so that the receiver can verify that you are the sender):

gpg -a --export 2AD3FAE3 | gpg -se -r 2AD3FAE3 > ~/tmp/2AD3FAE3.asc.pgp

I then email 2AD3FAE3.asc.gpg to Julian. In this case, I email it to the address in his key ([email protected]) as the key states that he controls that address.

Once Julian receives the encrypted message, he decrypts it and imports it into his keyring:

gpg --decrypt 2AD3FAE3.asc.pgp
gpg --import 2AD3FAE3.asc

He can then send his key with the attached signatures to the various keyservers:

gpg --send-keys 2AD3FAE3
gpg --keyserver pgp.mit.edu --send-keys 2AD3FAE3
gpg --keyserver keyserver.ubuntu.com --send-keys 2AD3FAE3

Updating your key in the KEYS file

If you are a PMC member, update or add your key to the KEYS file at http://www.apache.org/dist/calcite/KEYS.

To generate the appropriate output, run: gpg --list-sigs 2AD3FAE3 && gpg --armor --export 2AD3FAE3.

Paste the output into the KEYS files and commit it to the SVN repo by following these instructions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment