Differences between revisions 39 and 40
Revision 39 as of 2016-10-16 01:32:21
Size: 4854
Editor: ?KunalMehta
Comment: actually encrypt the key before sending it to the key owner
Revision 40 as of 2016-10-16 05:52:15
Size: 4974
Editor: RogerShimizu
Comment: avoid using short keyid as example
Deletions are marked like this. Additions are marked like this.
Line 38: Line 38:
gpg --send-key 1A2B3C4D gpg --send-key 1A2B3C4D5E6F7G8H
Line 54: Line 54:
 * The encryption method and the ID of the key (e.g. 4096R/1A2B3C4D)  * The encryption method and the ID of the key (e.g. 4096R/1A2B3C4D5E6F7G8H)
Line 59: Line 59:
gpg -v --fingerprint 1A2B3C4D gpg -v --fingerprint 1A2B3C4D5E6F7G8H
Line 66: Line 66:
gpg-key2ps -p a4 1A2B3C4D > out.ps gpg-key2ps -p a4 1A2B3C4D5E6F7G8H > out.ps
Line 70: Line 70:
gpg-key2ps -1 -p a4 1A2B3C4D > out.ps gpg-key2ps -1 -p a4 1A2B3C4D5E6F7G8H > out.ps
Line 94: Line 94:
gpg --recv-keys 00AA11BB gpg --recv-keys 00AA11BB22CC33DD
Line 98: Line 98:
gpg --fingerprint 00AA11BB gpg --fingerprint 00AA11BB22CC33DD
Line 102: Line 102:
gpg --sign-key 00AA11BB gpg --sign-key 00AA11BB22CC33DD
Line 107: Line 107:
gpg --armor --export 00AA11BB | gpg --encrypt -r 00AA11BB --armor --output 00AA11BB-signedBy-1A2B3C4D.asc gpg --armor --export 00AA11BB22CC33DD | gpg --encrypt -r 00AA11BB22CC33DD --armor --output 00AA11BB22CC33DD-signedBy-1A2B3C4D5E6F7G8H.asc
Line 113: Line 113:
gpg --import 1A2B3C4D-signedBy-00AA11BB.asc gpg --import 1A2B3C4D5E6F7G8H-signedBy-00AA11BB22CC33DD.asc
Line 118: Line 118:
gpg --send-key 1A2B3C4D gpg --send-key 1A2B3C4D5E6F7G8H

Translation(s): English - Italiano - Español ~

(!) ?Discussion


Introduction

The intent of this page is to explain how you can create and sign a GPG key.

Then, to get connected to the web of trust, go to the keysigning coordination page.

How to

Tutorials explaining how to use GnuPG:

If you want your GnuPG key signed by at least one (but ideally more than one) Debian Developer, you have to follow the below steps.

Step 1: Create a RSA keypair

gpg --gen-key

See also creating a keypair.

/!\ Note that due to weaknesses found with the SHA1 hashing algorithm Debian wants stronger RSA keys that are at least 4096 bits and preferring SHA2.

Also see OpenPGP Best Practices, documentation about subkeys and migration off of SHA-1 key.

Step 2: Generate a revocation certificate

Generate also a revocation certificate if you already have one!

gpg --gen-revoke [KEY_ID] > ~/.gnupg/revocation-[KEY_ID].crt

Step 3: Make your public key public

gpg --send-key 1A2B3C4D5E6F7G8H

Some public keyservers:

Step 4: Print your key

The printout of your fingerprint must contain the following information:

  • Your first name
  • Your last name
  • Your e-mail addresses (the ones you use with the key)
  • The encryption method and the ID of the key (e.g. 4096R/1A2B3C4D5E6F7G8H)
  • The fingerprint itself

You can use this function :

gpg -v --fingerprint 1A2B3C4D5E6F7G8H

Usually, you make several printouts on a sheet of paper. It can for example be the size of a business card. You can also use the gpg-key2ps which is part of the signing-party package to create these printouts as:

gpg-key2ps -p a4 1A2B3C4D5E6F7G8H > out.ps

Alternatively, you can print in one column only to avoid printing issues (for extra wide keys):

gpg-key2ps -1 -p a4 1A2B3C4D5E6F7G8H > out.ps

If you go to a key signing party, you will have to send this information beforehand, and they will then print a list for each participant.

TIP: to read the out.ps file, you can use evince, okular, ghostscript or other ?PostScript viewer.

TIP2: Some websites also can be used to generate the PDF of GPG fingerprint, such as: http://openpgp.quelltextlich.at/slip.html or http://keysheet.net

Step 5: Hand out your key's fingerprint

The people who will sign your key will need to see some form of government issued ID (passport or similar).

You have to give the printout to at least one Debian Developer.

Read the official Debian keysigning page.

A CAcert member will need to see two IDs.

Step 6: Get your key digitally signed

The Debian Developer will

  • retrieve your key from the server

gpg --recv-keys 00AA11BB22CC33DD
  • verify that the information is correct (the fingerprint)

gpg --fingerprint 00AA11BB22CC33DD
  • sign it.

gpg --sign-key 00AA11BB22CC33DD 
  • send it back to the key owner as an encrypted email (or send it directly to a server). Sending it encrypted is preferred as you can verify the person can decrypt the messages they receive.

gpg --armor --export 00AA11BB22CC33DD | gpg --encrypt -r 00AA11BB22CC33DD --armor --output 00AA11BB22CC33DD-signedBy-1A2B3C4D5E6F7G8H.asc 

Step 7: Send your signed key to the server

Some time after having participated in a keysigning, you will perhaps receive your signed key as an e-mail attachment. Import the signatures:

gpg --import 1A2B3C4D5E6F7G8H-signedBy-00AA11BB22CC33DD.asc

Afterwards you will have to send your updated key to the server:

gpg --send-key 1A2B3C4D5E6F7G8H

Beyond Debian

Those interested in expanding the web of trust beyond Debian should visit:

See also