Jump to: navigation, search

PGP key web of trust

The Linux kernel developers have become more interested in creating a pgp key based web of trust, following the recent systems compromise.

H. Peter Anvin wrote an informative email on the subject. copy on lwn copy on

Cheat sheet for creating a key, and signing other keys with it.

More detailed instructions can be found at:

Before the key signing event

Generate a key:

$ gpg --gen-key

Here is a sample key generation dialogue:

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Sun Feb  5 20:25:38 2017 PST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"

Real name: John Doe
Email address:
You selected this USER-ID:
    "John Doe <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Enter Passphrase:
Repeat passphrase:

# You may be prompted to create some randomness.  One way to do so is to
# use another shell to type: ls -lR >/dev/null

gpg: key 59E066B1 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:  36  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:  36  signed:  10  trust: 36-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2013-10-05
pub   4096R/59E066B1 2012-02-08 [expires: 2017-02-06]
      Key fingerprint = 33E6 B4F8 F7E8 4C1B 4214  EEB3 DDE4 4949 59E0 66B1
uid                  John Doe <>
sub   4096R/DE192E71 2012-02-08 [expires: 2017-02-06]

The key generated above is: 59E066B1

If you do not remember your key, get it:

$ gpg --list-secret-keys

sec   4096R/59E066B1 2012-02-08 [expires: 2017-02-06]
uid                  John Doe <>
ssb   4096R/DE192E71 2012-02-08

Put your key in a shell variable for use in the following commands (replace xxxxxxxx with your key):

$ export MY_KEY="xxxxxxxx"

Send your signed key upstream, so others can download and sign it:

$ gpg --keyserver --send-key ${MY_KEY}

Print the fingerprint for your key. Write this down to share with anyone you want to sign your key. Bring this to the key signing event. If you write this on the back of your badge, others can take a picture of it or copy it by hand. Or you may wish to print many copies of the fingerprint to give to others.

$ gpg --fingerprint ${MY_KEY}

Here is a sample fingerprint:

gpg --fingerprint 59E066B1
pub   4096R/59E066B1 2012-02-08 [expires: 2017-02-06]
      Key fingerprint = 33E6 B4F8 F7E8 4C1B 4214  EEB3 DDE4 4949 59E0 66B1
      uid                  John Doe <>
      sub   4096R/DE192E71 2012-02-08 [expires: 2017-02-06]

At the key signing event

  • Collect the key finger print for each key you want to sign.
  • Verify with the key owner that the fingerprint is correct.
  • Verify the identity of the key owner. For example, check a difficult to forge photo ID. Or you may choose to rely on an extensive history of personal contact.

At your convenience, sign the keys

Create a space separated list of keys:

$ export KEY_LIST="the keys I want to sign"

For example, the keys for Frank Rowand and Tim Bird are:

$ export KEY_LIST="0CB2D395 793815d2"

Download the keys from the server:

$ gpg --keyserver --recv-keys ${KEY_LIST}

Manually verify that the fingerprints from this command match the fingerprints that you collected for the keys:

$ gpg --fingerprint ${KEY_LIST}

Sign the keys (you will be prompted for your pass phrase):

$ for k in ${KEY_LIST} ; do gpg --default-key ${MY_KEY} --sign-key ${k} ; done

Send the signed keys to the server:

$ gpg --keyserver --send-key ${KEY_LIST}