Differences between revisions 17 and 18
Revision 17 as of 2011-01-03 14:18:19
Size: 3826
Comment: + translation header and link to it translation
Revision 18 as of 2012-04-26 12:51:38
Size: 3978
Editor: EnricoRossi
Comment: added gpg-key2ps example to generate fingerprint printouts
Deletions are marked like this. Additions are marked like this.
Line 57: Line 57:
You can also use the gpg-key2ps which is part of the signing-party package to create these printouts as:
{{{
gpg-key2ps -p a4 1A2B3C4D > out.ps
}}}

Translation(s): English - Italiano

(!) ?Discussion


Introduction

The intent of this page is to explain how you can create and sign a GPG key.

Then, to get connected to the web of trust, go to the keysigning coordination page.

How to

Tutorials explaining how to use GnuPG:

If you want your GnuPG key signed by at least one (but ideally more than one) Debian Developer, you have to follow the below steps.

Step 1: Create a RSA keypair

  gpg --gen-key

See also creating a keypair.

* Note that due to weaknesses found with the SHA1 hashing algorithm Debian wants stronger RSA keys that are at least 4096 bits and preferring SHA2.

Also see OpenPGP Best Practices and migration off of SHA-1 key.

Step 2: Make your public key public

gpg --keyserver subkeys.pgp.net --send-key 1A2B3C4D

Some public keyservers:

Step 3: Print your key

The printout of your fingerprint must contain the following information:

  • Your first name
  • Your last name
  • Your e-mail addresses (the ones you use with the key)
  • The encryption method and the ID of the key (e.g. 4096R/1A2B3C4D)
  • The fingerprint itself

You can use this function :

gpg -v --fingerprint 1A2B3C4D

Usually, you make several printouts on a sheet of paper. It can for example be the size of a business card. You can also use the gpg-key2ps which is part of the signing-party package to create these printouts as:

gpg-key2ps -p a4 1A2B3C4D > out.ps

If you go to a key signing party, you will have to send this information beforehand, and they will then print a list for each participant.

Step 4: Hand out your key's fingerprint

The people who will sign your key will need to see some form of government issued ID (passport or similar).

You have to give the printout to at least one Debian Developer.

Read the official Debian keysigning page.

A CAcert member will need to see two IDs.

Step 5: Get your key digitally signed

The Debian Developer will

  • retrieve your key from the server

gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 00AA11BB
  • verify that the information is correct (the fingerprint)

gpg --fingerprint 00AA11BB
  • sign it.

gpg --sign-key 00AA11BB 
  • send it back to you (or send it directly to a server)

gpg --armor --output 00AA11BB-signedBy-1A2B3C4D.asc --export 00AA11BB

Step 6: Send your signed key to the server

Some time after having participated in a keysigning, you will perhaps receive your signed key as an e-mail attachment. Import the signatures:

gpg --import 1A2B3C4D-signedBy-00AA11BB.asc

Afterwards you will have to send your update key to the server:

gpg --keyserver wwwkeys.eu.pgp.net --send-key 1A2B3C4D

Beyond Debian

Those interested in expanding the web of trust beyond Debian should visit:

See also