PGP keysigning party instructions

Updated: Maybe you should not generate a key with the default settings. See Step 1 below.

The September 2010 meeting will feature a keysigning party.

Chris Frey (cdfrey at the domain foursquare dot net) is the KeyMaster for this party. As part of the process, you will e-mail him your key.

Here are his instructions for getting started, with some e-mail address obfuscation:

  1. Generate new key:


    gpg --gen-key

    (Accept the defaults, they are pretty good)

    Update: Denver Gingerich notes that one of the algorithms used in the defaults (SHA-1) has vulnerabilities. Although these vulnerabilities have not resulted in exploits yet, if you are generating a new key you may want to use less vulnerable settings. Denver suggests:

    • Generate an RSA key
    • Make it 4096 bits long
  2. Look at your shiny new key:


    gpg --list-keys

  3. Export it to a file:


    gpg --armor --output /tmp/my-public-key --export

    Replace ID with the first ID of your key. For example,
    my key looks like this in the --list-keys display:

    pub 1024D/DC6371D5 2006-12-02 [expires: 2011-12-01]
    uid Chris Frey (cube)
    sub 4096g/C2855553 2006-12-02 [expires: 2011-12-01]

    So my ID is DC6371D5.

  4. Email the file my-public-key to me. (i.e. to Chris)
  5. Show up on September 13, with your fingerprint printed out on a sheet of paper, and ready to read it out loud.


    gpg --fingerprint

    Example:


    gpg --fingerprint dc6371d5
    pub 1024D/DC6371D5 2006-12-02 [expires: 2011-12-01]
    Key fingerprint = 7D71 47F2 3F61 B0E1 5F3C 68A4 819A 39D8 DC63 71D5
    uid Chris Frey (cube)
    sub 4096g/C2855553 2006-12-02 [expires: 2011-12-01]

At the meeting you will have to read your fingerprint and have others vouch for your identity. Some people do this via government ID; other people think this is not sufficient.