Package: www.debian.org Version: N/A; reported 2002-02-08 Severity: wishlist Tags: patch
Based on my experience signing and having my key signed recently I would like to suggest some extra text for the keysigning howto at http://www.debian.org/events/keysigning (and can I also ask that it linked from somewhere more prominent like the developers corner?) I'm pretty sure the information I added is accurate. Some of the WML may need editting though. -- Jaldhar H. Vyas <[EMAIL PROTECTED]> It's a girl! See the pictures - http://www.braincells.com/shailaja/ --- keysigning.wml.old Thu Feb 7 23:52:52 2002 +++ keysigning.wml Fri Feb 8 00:27:18 2002 @@ -23,6 +23,7 @@ <li>The key owner verifies that the fingerprint of the key about to be signed is indeed their own. + </ol> Most importantly, if the key owner is not actively participating in @@ -55,19 +56,57 @@ gpg --keyserver keyring.debian.org --recv-keys 0xDEADBEAF </pre> +<p>If the person whose key you want to sign is not in the Debian keyring, +replace keyring.debian.org with a public keyserver like pgpkeys.pgp.net (which +despitethe name also stores GnuPG keys.) + +<p>Note we can use the last eight hex digits of the key in this and other GnuPG +operations. The 0x in front is also optional. + <li> To sign the key, enter the edit menu with <pre> gpg --edit-key 0xDEADBEAF </pre> -<li> In GnuPG select all uids to sign with <code>uid n</code>. +<li> In GnuPG select all uids to sign with <code>uid n</code> where n is the +number of the uid shown in the menu. You can also press enter to sign all +the uids. <li> To sign a key, enter <code>sign</code>. You will then be shown the fingerprint of they key which you have to compare with the one you've got from the person you met. <li> Quit GnuPG with <code>quit</code> + +<li> To verify you have signed the key correctly, you can do: + +<pre> + gpg --list-sigs 0xDEADBEAF +</pre> + +You should see your own name and fingerprint (in short form) in the output. + +<li> Once you are satisfied everything went ok you can send the signed key +to its' recipient by doing: + +<pre> + gpg --export -a 0xDEADBEAF > someguys.key +</pre> + +<p>The <code>-a</code> option exports the key in ASCII format so it can be +emailed without possibility of corruption. + +<li> If someone signs your key in this manner, you can add it to the Debian +keyring by doing: + +<pre> + gpg --import mysigned.key + gpg --keyserver keyring.debian.org --send-keys <your key id> +</pre> + +<p>It may take a while for the keying maintainers to update your key so be +patient. You should also upload your updated key to the public keyservers. </ul>
