St.
John’s Linux Users’ Group
PHP/GnuPG Keysigning
On Thursday November 6th, 2003, we held a PGP/GnuPG keysigning. If you've missed the keysigning, but would like your key signed, contact one or more of the people who did participate, most will be more than happy to sign your key.
Now that the keysigning has ended, we just wait until everyone
signs the keys and sends them back to the keyservers.
You can also see a graph of our
current web of trust. (also postscript)
For the keysigning you will need the following:
- A writing instrument (ie, pen, pencil, crayon, etc.)
- A hardcopy of your key fingerprint.
- A hardcopy of the md5sum and sha1sum of the sassaman.txt file.
- Photo ID (driver's license, passport, student ID, etc.)
- To be there yourself. This cannot be delegated
We will not be following the traditional keysigning format, opting for a more efficient method. The basics of this method follow.
Before you come to the keysigning:
- Download a copy of the sassaman.txt file.
- Verify that your fingerprint in the file matches your real fingerprint.
- Create an md5sum and a sha1sum of the file.
gpg --print-md MD5 sassaman.txt
gpg --print-md SHA1 sassaman.txt - Write the checksums down on a piece of paper (the same one as your fingerprint)
During the keysigning:
- I will read the md5sum and sha1sum.
- You should verify that the checksums I read match those on your piece of paper.
- I will call on everybody in the room to verify that the your fingerprint matches both the sassaman.txt file and the sheet of paper that will be handed out.
- As every person verifies his/her fingerprint, put a check in the box labeled 'Key Info' on your sheet.
- When you verify someone's photo ID, you put a check in the 'Owner ID' box on your sheet.
To get a copy of the sassaman.txt file, replace 'keysigning.php' in the URL for
this page with 'sassaman.txt' (this is done to protect your email addresses
from spam bots).
The checksums for the file should be:
MD5: 7F 9F 1F 3B F2 18 07 C1 27 64 38 16 6B 2D E2 33
SHA1: F974 B414 8E9A F529 9974 CAF8 BD9E A4E6 F9F2 0F90
After the keysigning:
- Download a copy of the keyring.
- Import the keyring into a fresh ring
gpg --keyring slug.gpg --no-default-keyring --fast-import keyring.asc - Output the fingerprints for these keys
gpg --keyring slug.gpg --no-default-keyring --fingerprint > my-sassaman.txt - Compare the output to the sassaman.txt file
diff -u sassaman.txt my-sassaman.txt | less - You can now sign any keys that did now show a conflict during the diff and have two check marks on your sheet.
- After you've signed a key, you should either send it to it's owner, or upload it onto a keyserver.
The format (and most of these instructions) are heavily based upon this keysigning.
