First PGP Key Signing Party

Friday was my first time attending a PGP key signing party. We had it in one of the buildings on campus and I thought I would share some of the commands I used to handle all the certificates. I created a method for handling key signing parties while I did this one, but I think this is a fairly good method. What it basically does is keeps specific users in your pubring.gpg, while people at keysigning parties are in specific keyrings. When defining them in your gpg.conf file they will be included in all of your GPG operations so it will be like they were in your pubring.gpg keyring. It also means that if you don’t associate with anyone in the keysigning parting you can just comment out the file and still have the keys for later use or for archival purposes.

I first wanted to have these be in a specific keyring for the purposes of knowing who was at each keysigning. To make sure your key gets added to the keyring you need to specify not to use the default keyring and use a specific keyring.. Make sure you include your keyid in the list of keys to pull from the keyserver as it will be needed when PIUS runs against the specific keyring.

I added this to my ~/.gnupg/gpg.conf file so I can have all the keyrings included all the time.

# List of keyrings
# Key Signing Party, 2010-01-22
keyring keysign-20100122.gpg

touch ~/.gnupg/keysign-20100122.gpg
gpg --no-default-keyring --keyring keysign-20100122.gpg --recv-keys F6F08D6A ...

With your key and the keys of the other participants in the new keyring download PIUS, a tool written by a friend and coworker, Phil Dibowitz. I preferred having it installed in ~/bin since that is added to my path automatically.

After it is installed run it against the keyring you created. The example below works with Gmail/Google Apps mail accounts.

KEYID="F6F08D6A"
USER="peter.manis@gmail.com"
MAIL="-P 587 -H smtp.gmail.com"
pius -s $KEYID -u $USER $MAIL -A -r keysign-20100122.gpg

We had to add our key to the keysign-20100122.gpg keyring so PIUS would use it to sign keys. So we don’t really need it in that keyring anymore. The problem with removing it is that GPG requires the secret key be deleted first so we need to work around this. Please BACKUP your files first so that if you make a mistake you don’t delete you entire keyring.

touch ~/.gnupg/empty.gpg
gpg --no-default-keyring --secret-keyring empty.gpg --delete-key F6F08D6A

My method for importing the keys was copying the PGP message in the email and saving it to a file with the extension ‘gpg’. After that I was able to run the following for loop and import them all.

for i in $(ls *.gpg); do cat $i | gpg -d | gpg --import; done

Now you can send the key to the keyservers

servers="x-hkp://pool.sks-keyservers.net pgp.mit.edu"
for server in $servers
    do gpg --keyserver $server --send-key F6F08D6A
done

Over time you need to refresh your keys since the other people will have signatures added to their keys.

gpg --refresh-keys

If you need to refresh keys in files you don’t have in gpg.conf you can run this

gpg --no-default-keyring --refresh-keys --keyring keysign-20100122.gpg

UPDATE: I would recommend maybe setting a variable before starting this with the details that will be used multiple times and substitute it in the commands above.

KEYID='F6F08D6A'
KEYRING=''keysign-20100122.gpg"

You can leave a response, or trackback from your own site.