So, you've just come back from the TriLUG meeting last night with a bunch of paper slips with people's key information on them and you're trying to figure out what to do. Here's a (hopefully) step-by-step procedure you can use to download, veryify, sign, and send off a key that you have the information for. (Note this is from the perspective of gpg. Other programs will use similar concepts although the specifics will be different.)
1) Download keys You may or may not have the keys you collected last night in your gpg keyring. If you don't, you can first try downloading the TriLUG PGP keyring (url is also at the bottom of this message). If you trust us O:-), you can use this command: lynx -source http://trilug.org/~chrish/trilug.asc | gpg --import Alternatively, you can download that file and import it manually. To check if you have they key you want to sign, try this command: gpg --list-keys <email address> If you see the person's key, great! If not, take a look at the key ID on the slip of paper you got. It will be 8 hexidecimal characters (or alternatively, the last 8 chars of the fingerprint which is that really long mess of hex chars). Note that and do this: gpg --keyserver subkeys.pgp.net --recv-keys <key id> If the key is on the keyserver, it will download it. If not, well, then e-mail the person asking for their key. 2) Verify the key matches the information you collected. Take the information you collected at the meeting last night (you did verify that it was from the correct person, right?) and put it in front of you. Type the following command: gpg --fingerprint <key id or email address> That should bring up a fingerprint of the key in question. Verify that the long mess of hexidecimal digits on the sheet you received from the person matches what your computer says. In addition, make sure the size and key type are the same too. If all of these match, congratulations, you have verified the key is correct. It's now time to sign this key. :-) 3) Sign key. Make sure you have the key id and type this command: gpg --sign-key <key id> Answer the questions there. One question in particular that comes up is if the key has an expiration date should I also expire my signature at that time. I generally don't because if the key is expired it's no good anyway, and if the signature expires and the key expiration is extended that person just has to get your signature again. Either way, though, it's your choice. Finish answering the questions and then type in your pass phrase (you did set an entire phrase as the pass phrase instead of just one word, right? ;-) Specify you want to save it and voila! you've signed the key. 4) Publish key. If the person has asked you to send the key to a keyserver, you can do the following command: gpg --keyserver subkeys.pgp.net --send-keys <key id> If you're not sure if they want the key on the key server, you shouldn't send it there. Instead, extract the key in ascii format and send it back to them. This is the command to extract the key: gpg --export -a <key id> > <filename>.asc Take that file and send it to the person in question and let them publish it as they see fit. And that's it. You should now be able to sign anyone's key. Please note that if I've forgotten something, gotten something wrong, please feel free to correct me. :-) Cheers, Tanner -- Tanner Lovelace | lovelace(at)wayfarer.org | http://wtl.wayfarer.org/ --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4 GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- Have we sent the "Don't shoot, we're pathetic" transmission yet? Commander John Crichton (Farscape)
signature.asc
Description: This is a digitally signed message part
