FOSDEM organizes each year one of the largest keysigning event for PGP keys. When we come back from a key signing party, what to do?
Here a FAQ with some useful notes about how I sign the keys.
Sign other keys
Bad practice: don’t upload keys you’ve just signed to the PGP server
At the event, you checked the key fingerprints and you checked an ID document. But you also want to verify the email address to be sure the mail belongs to the user and not to a namesake.
So don’t upload keys to a PGP server, send the signature for ONE mail to THAT mail address. Luckily, some softwares automate the process and does that.
Caff
Caff will automate signing and sending process.
You can follow instructions published on the Debian wiki.
Basically, it works in three steps:
- create a ~/.caffrc file with at least <code>$CONFIG{‘owner’}</code> and <code>$CONFIG{’email’}</code>
- caff <fingerprints of each keys you verified>
- check your mail for issues like rejected as spam, not existing mailbox, etc.
- take a highlighter and let a mark when a key has been sent
What if some keys aren’t fetchable on the public servers?
You can ask caff to fetch the keys from the local GnuPG keyring. For that, download the FOSDEM event keyring, then import the keys you want:
|
1 2 |
wget https://ksp.fosdem.org/files/non-authoritative/keyring.gpg gpg --import keyring.gpg 6CA63522 |
You can then ask caff to fetch them locally. For me, it was the following keys:
|
1 |
caff --keys-from-gnupg 6CA63522 202CE599 5BCF7D95 A85DB372 E1F3FC1C |
Other software
Some key signing participants use another piece of software: PIUS.
The software claims to be able to detect signed keys in a mailbox, useful for the next step.
Don’t expect your nice message will be read
As you encrypt the message with the recipient PGP key, it will have to make an effort to decrypt it. Contributors using PGP to sign releases or VCS tags or commits don’t use always PGP to read and write mail. So, guess what they could with your message if their mail client doesn’t have access to the key? gpg -d | gpg --import. Your message will so never be read in clear text.
Publish your signed keys
Now you’ve signed the keys from other participants, you want to publish the signed keys you’ve received.
When your client mail supports GPG
If your mail client handles this, or if you use PIUS, they will allow you to import in GPG the keys.
|
1 |
gpg --keyserver pgp.mit.edu --send-key <your key fingerprint> |
Manually import the signed keys
|
1 2 3 4 5 6 7 8 |
#!/bin/sh while true; do echo "Next key?" cat > /tmp/key-to-import gpg -d /tmp/key-to-import | gpg --import gpg --keyserver keyserver.siccegge.de --send-key <your key fingerprint> done |
This script will ask you Next key?
You copy/paste the PGP block (between -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE-----). Then you save with CTRL + D.
It doesn’t matter if you’ve added a line after the END line, gpg stops to parse there.
GPG will import the key and publish it. Publish on a responsive server, not pgp.mit.edu, that will ease checks.
You have two ways to know each signature have been successfully sent.
First, check the output of gpg --import :
|
1 2 3 |
gpg: Total number processed: 1 gpg: new signatures: 1 gpg: marginals needed: 3 completes needed: 1 trust model: pgp |
If instead you read this, you’ve already published this key:
|
1 2 |
gpg: Total number processed: 1 gpg: unchanged: 1 |
The second way to check is on the web view of the server.
For example if you use the server noted above, search your fingerprint here.
Stay on the page with your signatures, and when you’ve a doubt, you can refresh.
Tag the mails as done
There are a lot of mails as there are a lot of participants. So, to tag mails as processed is useful to know what is processed and what’s not.
An IMAP dedicated folder is nice, or any label/color your client allows.
Alternatively, take an highlighter, your paper list and annotate.