Translation(s): English - Español - Italiano - Português (Brasil) - Українська


Introduction

The intent of this page is to explain how you can create and sign an OpenPGP key.

Then, to get connected to the web of trust, go to the keysigning coordination page.

How to

Tutorials explaining how to use GnuPG:

If you want your OpenPGP key signed by at least one (but ideally more than one) Debian Developer, you have to follow the below steps.

Step 1: Create a RSA keypair

gpg --full-gen-key

See also creating a keypair.

/!\ Note that due to weaknesses found with the SHA1 hashing algorithm Debian wants stronger RSA keys that are at least 4096 bits and preferring SHA2 although Ed25519 is even better.

Also see OpenPGP Best Practices, documentation about subkeys and migration off of SHA-1 key.

Step 2: Generate a revocation certificate

Generate also a revocation certificate if you don't already have one! Throughout the rest of the page, your fingerprint is assumed to be set in the variable ${myFingerPrint}

gpg --gen-revoke ${myFingerPrint} > ~/.gnupg/revocation-${myFingerPrint}.crt

Step 3: Make your public key public

gpg --send-key ${myFingerPrint}

Some public keyservers:

Step 4: Print your key

The printout of your fingerprint must contain the following information:

To discover your fingerprint you can use this function:

gpg -v --fingerprint ${myFingerPrint}

Usually, you make several printouts on a sheet of paper, a so-called _keysheet_. Each printout can for example be the size of a business card.

Use a website to generate a PDF

There are various websites that you can use to generate ready-to-print PDF of your key, for example http://openpgp.quelltextlich.at/slip.html or http://keysheet.net.

Use gpg-key2ps to generate a PDF

You can also use the gpg-key2ps, which is part of the signing-party package, to create a keysheet:

gpg-key2ps -p a4 ${myFingerPrint} | gs -sDEVICE=pdfwrite -sOutputFile=out.pdf

Alternatively, you can print in one column only to avoid printing issues (for extra wide keys):

gpg-key2ps -1 -p a4 ${myFingerPrint} | gs -sDEVICE=pdfwrite -sOutputFile=out.pdf

If you go to a key signing party, you will have to send this information beforehand, and they will then print a list for each participant.

Display your key on your screen instead of printing it

Alternatively, you can show your fingerprint(s) on your laptop screen like this:

LANG=C gpg --list-secret-keys --fingerprint --keyid-format long | grep -Po 'fingerprint = \K.*' | sed 's/$/\n/; s/  /\n/' | /usr/games/sm -i -

Step 5: Hand out your key's fingerprint

The people who will sign your key will need to see some form of government issued ID (passport or similar).

You have to give the printout to at least one Debian Developer.

Read the official Debian keysigning page.

A CAcert member will need to see two IDs.

Step 6: Get your key digitally signed

The Debian Developer will with his ${ddSignersFingerprint} key, do the following:

gpg --recv-keys ${myFingerPrint}

gpg --fingerprint ${myFingerPrint}

gpg --sign-key ${myFingerPrint}

gpg --armor --export ${myFingerPrint} | gpg --encrypt -r ${myFingerPrint} --armor --output ${myFingerPrint}-signedBy-${ddSignersFingerprint}.asc

Alternatively, the caff tool from the signing-party package automates all this process:

caff ${myFingerPrint}

Step 7: Send your signed key to the server

Some time after having participated in a keysigning, you will perhaps receive your signed key as an e-mail attachment. Import the signatures:

gpg -d ${myFingerPrint}-signedBy-${ddSignersFingerprint}.asc | gpg --import

Afterwards you will have to send your updated key to the server:

gpg --send-key ${myFingerprint}

Beyond Debian

For those interested in expanding the web of trust beyond Debian: http://www.cacert.org/

See also


CategoryCommunity CategoryDeveloper