Signing GPG Keys

Stephen M. Reaves

2023-06-27

"How we shared GPG keys at SELF 2023"

TODO:

everybody generate keys

everybody upload keys to keyserver

keyserver.ubuntu.com
pgp.mit.edu

import key

Could import from keyserver
We had one person import keys then export keyring, then everybody import keyring
- gpg --no-default-keyring --keyring ./pubring.kbx --armor --export | gpg --import

Verify fingerprints

We had the fingerprints printed on a sheet of paper
gpg --list-key --fingerprint <keyID>

Sign keys

gpg --sign-key <keyID>

Export newly signed key

gpg -a --export <keyID> | gpg -se -r <keyID> > <keyID>.asc.pgp

Then email the exported signed key to the owner of the key. They would then import all of the signed keys they get from other attendees and reupload their key (with all the signatures) to a keyserver. Then everybody else can download the new keys at their leisure.