PgpKey

The Linux kernel developers have become more interested in creating a pgp key based web of trust, following the recent kernel.org systems compromise.

H. Peter Anvin wrote an informative email on the subject. copy on lwn copy on lkml.org

= Cheat sheet for creating a key, and signing other keys with it. =

More detailed instructions can be found at:

http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#prep

Before the key signing event
Generate a key:

$ gpg --gen-key

Here is a sample key generation dialogue:

Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire  = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 5y Key expires at Sun Feb 5 20:25:38 2017 PST Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) "

Real name: John Doe Email address: jdoe@example.com Comment: You selected this USER-ID: "John Doe "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key.

Enter Passphrase: Repeat passphrase:


 * 1) You may be prompted to create some randomness.  One way to do so is to
 * 2) use another shell to type: ls -lR >/dev/null

gpg: key 59E066B1 marked as ultimately trusted public and secret key created and signed.

gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid:   2  signed:  36  trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid:  36  signed:  10  trust: 36-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2013-10-05 pub  4096R/59E066B1 2012-02-08 [expires: 2017-02-06] Key fingerprint = 33E6 B4F8 F7E8 4C1B 4214 EEB3 DDE4 4949 59E0 66B1 uid                 John Doe  sub  4096R/DE192E71 2012-02-08 [expires: 2017-02-06]

The key generated above is: 59E066B1

If you do not remember your key, get it:

$ gpg --list-secret-keys

sec  4096R/59E066B1 2012-02-08 [expires: 2017-02-06] uid                 John Doe  ssb  4096R/DE192E71 2012-02-08

Put your key in a shell variable for use in the following commands (replace xxxxxxxx with your key):

$ export MY_KEY="xxxxxxxx"

Send your signed key upstream, so others can download and sign it:

$ gpg --keyserver pgp.mit.edu --send-key ${MY_KEY}

Print the fingerprint for your key. Write this down to share with anyone you want to sign your key. Bring this to the key signing event. If you write this on the back of your badge, others can take a picture of it or copy it by hand. Or you may wish to print many copies of the fingerprint to give to others.

$ gpg --fingerprint ${MY_KEY}

Here is a sample fingerprint:

gpg --fingerprint 59E066B1 pub  4096R/59E066B1 2012-02-08 [expires: 2017-02-06] Key fingerprint = 33E6 B4F8 F7E8 4C1B 4214 EEB3 DDE4 4949 59E0 66B1 uid                 John Doe  sub  4096R/DE192E71 2012-02-08 [expires: 2017-02-06]

At the key signing event

 * Collect the key finger print for each key you want to sign.
 * Verify with the key owner that the fingerprint is correct.
 * Verify the identity of the key owner. For example, check a difficult to forge photo ID.  Or you may choose to rely on an extensive history of personal contact.

At your convenience, sign the keys
Create a space separated list of keys:

$ export KEY_LIST="the keys I want to sign"

For example, the keys for Frank Rowand and Tim Bird are:

$ export KEY_LIST="0CB2D395 793815d2"

Download the keys from the server:

$ gpg --keyserver pgp.mit.edu --recv-keys ${KEY_LIST}

Manually verify that the fingerprints from this command match the fingerprints that you collected for the keys:

$ gpg --fingerprint ${KEY_LIST}

Sign the keys (you will be prompted for your pass phrase):

$ for k in ${KEY_LIST} ; do gpg --default-key ${MY_KEY} --sign-key ${k} ; done

Send the signed keys to the server:

$ gpg --keyserver pgp.mit.edu --send-key ${KEY_LIST}