[Chat] Key signing notes

Daniel Sobey dns at dns.id.au
Mon Jan 23 15:56:49 AEDT 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello Everyone,

Sorry for not getting this email out earlier.
Below are some notes for what to do after attending a key signing.

At the event we did two things:
Verified that the claims that each person made match the details on the key.
That the gpg fingerprint belongs to that person.

Please check the identity carefully, if someone has included a middle name
or claims to be from the USA check that they have a passport from that
country.

You sign the uid in the key and not the key itself.
This can be the person's name, comment and email address string.
Gpg can also include an image so look at this and see if this matches your
expectation.
You can add and remove these identities at any time so there is the
potential to claim to be someone else. If you remove a uid any signatures
for that uid are gone. If  you add a new entry there will not be any
signatures on it and you will need to ask people to sign it again.

If you are planning on changing email address or move to a new gpg key you
may be able to email people and ask them to sign your new identities. You
would want to verify that this email really did come from them, hopefully
they have signed the message with the previous key so you can verify that
it really came from them.


SIGNING KEYS:
=============

Simple method:
- --------------
Download the key list from https://keysigning.xyz/?keylist=1
Gpg --import keylist
Verify that the fingerprints match the print out: gpg --fingerprint
--list-key 4111E1E2
Sign the key:   gpg --sign-key   4111E1E2
If you have multiple keys you should sign the key with each of these: gpg
 --fingerprint --sign-with FA9EC035 --sign-key 4111E1E2
Export their key (this contains your new signature): gpg -a --export
4111E1E2 > 4111E1E2
(optional) Encrypt this exported file with their gpg key. If they are able
to decrypt it they must have the key.
(optional) send this key to the key server: gpg --send-keys 4111E1E2
Some people do not want their gpg key on a key server so it may be a good
idea to ask them before doing this.

Loading signatures.
Decrypt the message to a temporary file: gpg --decrypt file > newfile
View the encrypted message
Import any signatures found in the message:   gpg --import newfile
(optional) send your key to a key server: gpg --send-key FA9EC035
(optional) refresh keys from server: gpg --refresh-keys



CAFF:
- -----
This stands for CA - Fire and Forget and is in the signing-party package.
See https://wiki.debian.org/caff for notes.
For a gui too see https://github.com/frasertweedale/gcaff developed by
Frazer Tweedale.

These tools need sendmail to be working correctly for them to work.
I use SSMTP to send to gmail as it is easy to set up.
You should login to gmail and create an app specific password for this.
See the below for an example configuration file.
https://wiki.archlinux.org/index.php/SSMTP
You can then use the ‘sendmail’ command provided by the ssmtp package to
send email.

Run caff to generate a configuration file.
Edit the configuration file and change the following:
$CONFIG{'owner'} = 'Daniel Sobey';
$CONFIG{'email'} = 'dns at dns.id.au';
$CONFIG{'keyid'} = [ qw{82D4793D50871827ADA3069C69EB32C8E31A9CB2
28F82EA326A37748EC41CD2800D408C4FA9EC035 } ];

Uncomment the message template and change it if you wish.

Download the key list from https://keysigning.xyz/?keylist=1 so you do not
need to fetch this every time.

You should now be able to sign you key.
caff --key-file linux.conf.au.2017.txt -R 4111E1E2

You can use the full gpg fingerprint or the 8 digit short key.
If you use the 8 digit key it will show the full fingerprint when you sign
the key, verify the fingerprint with the print out.
Enter the passphrase on your key.
You will be in a gpg prompt, type save
It will then prompt if you would like to send the email.

This message is signed by me with ascii armor and can be verified that it
came from my gpg key.
Copy the message from the starting dashes to the end pgp signature to a
file.
Run gpg --verify email.txt and it should confirm that it came from me.

Regards,

Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJYhYyaAAoJEADUCMT6nsA1algQAJQ6ZHuD5ioCM6aUaRZhCZJX
okkrBWjx5pix2ojzkUIo8P+1jku+CKH9c9DQI00Yh5bpEnVuyrlviMt4CzsWBS5P
NR/XeWvAUiJ2UaSDxS8AgbOW8kKcrqmurbBD42vAfe5mtm1NR0tW7+e3/64ReIxm
euL9a9L5JgC7lXJsAkTY4pDuXqv45hSb2k/2QE8HAoRYW3wiwT2S8NWkZDim4Aae
/P0SJuOOjpCta0qd4PZa8nqZ7nMuyl7J5vZLZ6j2Fuyo2EXBHT82myeCxACkAJ1q
iR3uD5MXS/5SJVpq7KbkW9gmqWscfHXj1mmEVBfMBpCGGre17+n5Wb0idDKWaidv
v4DTj0CgkOlZp/uKL+UpoMwcz5ed5eGPmjJY+h0/TU2LT/T9j7TG0Tiu+4dPAJiK
lqiTE7N4AR21/mhn0jeXuidM8c3mmlVjzmz/qQ5qXFqBiBcNX89sKwssiMQ4atSf
gR7/gGNKafP/4kmD0kP55LtgHNRgdfB6mxJ2Skc+TTQD/1V9vN0MIrLO1OpKCw4j
iTNHKg8BYEJLmx+LAMN2CfRdRGt6FWF8F71tIOAMMXpwLF34sZW6G9v/wH9SThrk
MaTzYphCHZsAg17swKBLeBZp2unkUIC5mcYMFJ9nMDzkR2l2nrpmDpJ3FYsa1Jui
WFYNO+Hqoi9Z0ElC3ekQ
=Rt+A
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lca2017.linux.org.au/pipermail/chat/attachments/20170123/7aa4211b/attachment-0001.html>

More information about the Chat mailing list