Skip to main content

Hosting a successful GPG Keysigning Party

·3 mins
Security
Table of Contents

A GPG Keysigning party is an event where people verify each other’s identity and sign their GPG keys. Doing so increases the effectiveness of the “Web of trust” and the total trust each key has.

This is a revisited blog post from my old website, I saw a lot of 404’s leading there still.

Please note, all fingerprints/emails in this post should be replaced by your own!

In preparation for the event #

You should list your public key and print this out multiple times on a piece of paper, you will distribute this to the other attendees to verify your fingerprint.

You can do this with

gpg --list-key [email protected]

This will give an output similar to:

pub rsa4096 2015-01-29 [C] [expires: 2024-11-21]
      34B35DD172E366BF6867AB069FB800372F2546D8
uid [ultimate] Christiaan de Die le Clercq <[email protected]>
sub rsa2048 2015-01-29 [S] [expires: 2024-11-21]
sub rsa2048 2015-01-29 [E] [expires: 2024-11-21]
sub rsa2048 2015-01-29 [A] [expires: 2024-11-21]

Be sure to pack your ID and a pen as well! People need to validate this is indeed you! You can also refer people to a key signing policy like this one: https://techwolf12.nl/gpg/policy

The goal of printing this is to avoid someone editing the content and generating a fake key under your name.

You are now ready to go!

During the event #

You will collect the paper key of people, and make sure that this person is the person’s name on the key, for example by validating their ID. Don’t worry about the email validation, for now, that is for later.

It is recommended to mark the validated pieces of paper with a pen and write something like “valid” on it for later.

After this, bring all the pieces of paper home with you.

Signing keys after the event #

You now have the printed public key information from the other participants.

Now you have to find the key fingerprint on each print and get the public keys from the keyservers like so:

gpg --recv-keys 34B35DD172E366BF6867AB069FB800372F2546D8

You can now sign the key with

gpg --sign-key 34B35DD172E366BF6867AB069FB800372F2546D8

A few things to keep in mind:

  • If a key has multiple user IDs, GPG will ask if you want to sign all of them. Unless they seem suspicious to you, It is usually alright to sign all of the user IDs.
  • Compare all of the information displayed by GPG with the information on the paper, only sign the key if it matches exactly.
  • GPG will ask for the passphrase for your secret key, enter it and GPG will sign the other person’s key with yours.

Repeat this process with the other keys you have collected. Once this is done, you can send these signatures by email.

Instead of sending the signed keys back to the keyserver, send each key to its owner via email. This will ensure that the owner of the key also is in control of the email address listed in the key

For every key, you can now export the public key like so:

gpg --armor --output 01234567.signed-by.34B35DD172E366BF6867AB069FB800372F2546D8.asc --export 01234567

You can use your preferred email program to compose messages to the email address from each key’s user ID and attach the corresponding signature file.

If possible, have your email program encrypt these messages with the corresponding keys.

Importing your signed key #

Of course, part of the fun is receiving your signed key back! To import this, use the following command:

gpg --import 34B35DD172E366BF6867AB069FB800372F2546D8.signed-by.01234567.asc

You can list the signatures with:

gpg --list-sigs 34B35DD172E366BF6867AB069FB800372F2546D8

Finally, you should upload your key to a keyserver so other people can find it. You can do that with:

gpg --send-keys 34B35DD172E366BF6867AB069FB800372F2546D8

That’s it, your key is now signed and you have enlarged your web of trust.