Signing PGP keys
If you’ve recently completed a key signing party or have otherwise met up with other people and have exchanged key fingerprints and verified IDs, it’s now time to sign the keys you trust. There are several different ways of completing this task and I’ll discuss two of them now.
CA Fire and Forget (caff) is a program that allows you to sign a bunch of keys (like you might have after a key signing party) very quickly. It also adds a level of security to the signing process by forcing the other person to verify that they have both control over the email address provided and the key you signed. The way caff does this is by encrypting the signature in an email and sending it to the person. The person who receives the message must also decrypt the message and apply the signature themselves. Once they sync their key with the key server the new signatures will appear for everyone.
$ gpg --keyserver hkp://pool.sks-keyservers.net --refresh-key
There is some setup of caff that needs to be done prior but once you have it setup it’ll be good to go.
Installing caff is pretty easy although there might be a little trick. In Fedora there isn’t a caff package. Caff is actually in the pgp-tools package; other distros may have this named differently.
Once you have caff installed and setup, you just need to tell caff what key IDs you would like to sign. “man caff” will give you all the options but basically ‘caff -m
no yes -u ‘ will sign all the keys listed after your key. You will be asked to verify that you do want to sign the key and then caff will sign the key and mail it off. The user will receive an email, per user id on the key, with instructions on importing the signature.
Signing a key with GnuPG
The other way of signing a PGP key is to use GnuPG. Signing a key this way will simply add the signature to the key you have locally and then you’ll need to send those keys out to the key server.
Retrieving keys using GnuPG
The first thing that you have to do is pull the keys down from the keyserver.
$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys ...
Once you have received all the keys you can then sign them. If someone’s key is not there you should probably contact them and ask them to add their key to the servers. If they already have uploaded their key, it might take a couple of hours before it is sync’d everywhere.
Signing a key is pretty straightforward:
$ gpg --sign-key 1bb943db pub 1024D/1BB943DB created: 2010-02-02 expires: never usage: SC trust: unknown validity: unknown sub 4096g/672557E6 created: 2010-02-02 expires: never usage: E [ unknown] (1). MariaDB Package Signing Key <email@example.com> [ unknown] (2) Daniel Bartholomew (Monty Program signing key) <firstname.lastname@example.org> Really sign all user IDs? (y/N) y pub 1024D/1BB943DB created: 2010-02-02 expires: never usage: SC trust: unknown validity: unknown Primary key fingerprint: 1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB MariaDB Package Signing Key <email@example.com> Daniel Bartholomew (Monty Program signing key) <firstname.lastname@example.org> Are you sure that you want to sign this key with your key "Eric Harlan Christensen <email@example.com>" (024BB3D1) Really sign? (y/N) y
In the example I signed the MariaDB key with my key. Once that is complete a simple:
gpg --keyserver hkp://pool.sks-keyservers.net --send-key 1BB943DB
…will send the new signature to the key servers.