Zürich Hackathon 2014/Topics/PostKeySigning

= First things first =


 * Put your KEYID here separated by spaces, please, for easy copy/paste for others:
 * FAC81C7D 21923CF1 2E322E62 FFE6E478 33A9C8F1 B57DAF9C 

The easy way (for Debian-based distributions)

 * Install the signing-party package
 * setup caff
 * NOTE: Getting the long key id is possible with opengpg with "--list-keys --with-colons"
 * sample config (greg's)
 * run caff (the arguments is the list of keyids you're wanting to sign)

Notes:
 * If you don't have an in-use sendmail (or similar) setup your emails may be blocked by eg google mail. If that's the case, a safe approach is to create a tarball of all the key signatures for a given person (caff creates one keysig file per email) and encrypt it to the person (gpg --encrypt --recipient theirsigs.tar) and email that as an attachment using your normal mail client.

Step 1: Get a copy of the key
Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg --import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring.

bash$ gpg --keyserver pgp.mit.edu --recv-keys 

If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

Step 2: Fingerprint and Verify the key
bash$ gpg --fingerprint 

GPG will print out the fingerprint of the Key with  (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

Step 3: Sign the key
bash$ gpg --sign-key 

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

bash$ gpg --default-key  --sign-key 

Step 4: Return or Upload the signed key
If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email (in other words, encrypt the signed key file, then email them that;  to get a keyfile, then attach it to an email, encrypt the mail and attachment, and send it to the key owner). You should not send a public key to a keyserver without the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefore it is considered rude to make a key more public than its owner desires.

If no one responds negatively to the question about sharing the signatures publicly, feel free to do:

bash$ gpg --keyserver pgp.mit.edu --send-key 

You should see a success message like this:

gpg: success sending to ` ' (status=200)

Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.