Debian -- Keysigning

Debian -- Keysigning
Skip Quicknav
Blog
Micronews
Planet
Wiki
Events related to Debian
Keysigning
Keysigning
Since a lot of developers meet at trade shows or conferences they
have become a nice way to get other people sign ones OpenPGP key and
improve the web of trust. Especially for people who are new to the
project, keysigning and meeting other developers has been very
interesting.
This document intends to help you with running a keysigning
session. Note that all examples use
keyring.debian.org
as
the keyserver. If the key in question is not in the Debian keyring,
replace
keyring.debian.org
with a public
keyserver like
keys.openpgp.org
(which is a validating
key server).
People should only sign a key under at least two conditions:
The key owner convinces the signer that the identity in the UID is
indeed their own identity by whatever evidence the signer is
willing to accept as convincing. Usually this means the key owner
must present a government issued ID with a picture and information
that match up with the key owner. (Some signers know that
government issued ID's are easily forged and that the trustability
of the issuing authorities is often suspect and so they may require
additional and/or alternative evidence of identity).
The key owner verifies that the fingerprint and the length of the
key about to be signed is indeed their own.
Most importantly, if the key owner is not actively participating in
the exchange, you won't be able to complete either requisite 1 or 2.
Nobody can complete the key owner's part of requisite 1 on the key
owner's behalf, because otherwise anyone with a stolen ID card could
easily get an OpenPGP key to go with it by pretending to be an agent of the
keyowner. Nobody can complete the key owner's part of requisite 2 on
the key owner's behalf, since the agent could substitute the
fingerprint for a different OpenPGP key with the key owner's name on it
and get someone to sign the wrong key.
You need printed out OpenPGP fingerprints, key lengths and an
identity card to prove your identity (passport, drivers license
or similar).
The fingerprints and key lengths are given to other people who
ought to sign your key after the meeting.
If you don't have an OpenPGP key yet, create one with
gpg --gen-key
Only sign a key if the identity of the person whose key to sign
is proven.
After the meeting you'll have to fetch the OpenPGP key in order to
sign it. The following may help:
gpg --keyserver keyring.debian.org --recv-keys 0xDEADBEEF
Note that we can use the last eight hex digits of the fingerprint in this and
other GnuPG operations. The
0x
in front is also optional.
To sign the key, enter the edit menu with
gpg --edit-key 0xDEADBEEF
In GnuPG select all uids to sign with
uid n
, where
is the number of the uid shown in the menu. You can
also press enter to sign all the uids.
To sign a key, enter
sign
. You will then be shown
the fingerprint and length of they key which you have to compare
with the one you've got from the person you met.
When asked for the level of certification, choose "casual".
Quit GnuPG with
quit
To verify you have signed the key correctly, you can do:
gpg --list-sigs 0xDEADBEEF
You should see your own name and fingerprint (in short form) in the
output.
Once everything looks good, you can send the signed key to
its recipient by doing:
gpg --export -a 0xDEADBEEF > someguys.key
The
-a
option exports the key in ASCII format so it can
be emailed without the possibility of corruption.
If someone signs your key in this manner, you can add it to the Debian
keyring by doing:
gpg --import --import-options merge-only mysigned.key
gpg --keyserver keyring.debian.org --send-keys

It may take a while for the keyring maintainers to update your key so
be patient. You should also upload your updated key to the public
keyservers.
The
signing-party
Debian package provides some tools to help you with
this process.
gpg-key2ps
turns an OpenPGP key into a PostScript
file to print paper slips with your fingerprint, and
gpg-mailkeys
will email a signed key to its author. The package
also includes
caff
which is a more advanced tool. See the
package documentation for more information.
What you should not do
You should never sign a key for somebody else you haven't met
personally. Signing a key based on anything other than first-hand
knowledge destroys the utility of the Web of Trust. If ones friend
presents other developers with your ID card and your fingerprint, but
you are not there to verify that the fingerprint belongs to you, what
do other developers have to link the fingerprint to the ID? They have
only the friend's word, and the other signatures on your key -- this
is no better than if they signed your key just because other people
have signed it!
It is nice to get more signatures on ones key, and it is tempting
to cut a few corners along the way. But having trustworthy signatures
is more important than having many signatures, so it's very important
that we keep the keysigning process as pure as we can. Signing
someone else's key is an endorsement that you have first-hand evidence
of the keyholder's identity. If you sign it when you don't really
mean it, the Web of Trust can no longer be trusted.
More information
Wiki article about keysigning
Back to the
Debian Project homepage
This page is also available in the following languages:
How to set
the default document language
About
Social Contract
Code of Conduct
Free Software
Legal Info
Help Debian
Getting Debian
Network install
CD/USB ISO images
Pure Blends
Debian Packages
Developers' Corner
News
Project News
Events
Documentation
Release Info
Debian Wiki
Support
Debian International
Security Information
Bug reports
Mailing Lists
The Debian Blog
Debian Micronews
Debian Planet
See our
contact page
to get in touch. Web site source code is
available
Last Modified: Fri, Apr 4 16:26:16 UTC 2025