WLUG GPG Keysigning

There will be a GPG Keysigning session at the WLUG meeting on Wednesday, April 22, 2009.

Introduction to PGP

In case you need a refresher on GnuPG, here are the slides for my 2004 WLUG talk Introduction to PGP.

To Participate

Pre-registration is preferred.  I’ll try to accommodate people who don’t follow the procedure below and still want to participate at the meeting, but that may be difficult.

  1. Mandatory: Create a GPG keypair for yourself (if you haven’t already)
  2. Mandatory: Send your key before the event to the subkeys.pgp.net keyserver. Get your KEYID from your keyring as the part following the 1024D/ as follows:
    gpg --list-secret-keys | grep ^sec

    For me, this is 49BB5886. Yours will be different.

    Then send your key to the keyserver with:

    gpg --keyserver subkeys.pgp.net --send-keys KEYID

    and send me your key fingerprint with:

    gpg --fingerprint KEYID | mail -s "<your email address> key" wlug-keys@wlug.org

Right Before the WLUG meeting

  1. Mandatory: If you pre-register for the keysigning, print out your key fingerprint once and bring it. If you don’t pre-register, print out your key fingerprint 20-30 times, and bring it with you. You’ll hand one of these out to each other person at the keysigning, so bring enough. The program ‘gpg-key2ps’ in the pgp-tools package can do this for you quite nicely.
  2. Mandatory: run md5sum and sha1sum on the wlug-keysigning-fingerprints.txt files (to be generated shortly before the event - you’ll get an email notification), print the results, and bring them to the meeting. It should match the corresponding files on the web site.
  3. Mandatory: Bring a government-issued picture ID of yourself.

Note: this means you will have at least 2 pieces of paper (your key fingerprint and the sha1sum and md5sum results) that you bring.

At the Keysigning

For those who pre-registered, you can find the keyring, the fingerprint file we’ll use, and the md5sum and sha1sum hash of the fingerprint file, all at http://www.wlug.org/keysigning/2009-04-22/. We will read these values, for everyone to confirm they all match.

After the Keysigning

Following the keysigning, you’ll need to actually sign people’s keys. The easiest way to do this is to use caff which is part of the pgp-tools package. caff lets you sign a number of keys at once, and will then email each recepient their signed key, encrypted with their key (actually, it sends one email per UID on the target key, so those people with 10 UIDs on their key will get 10 emails from caff, but that’s OK - it makes sure they control that email address too). They must know their own passphrase to retrieve their signed key, which they can then import into their gpg keyring and upload to the keyserver subkeys.pgp.net.


The content of this page was shamelessly stolen from Matt Domsch's blog posting for the GPG Keysigning at FUDConF11. Thanks to Matt for providing the scripts and methods to automate much of the process of running this keysigning.

Chuck Anderson