Tomas Krizek's blog

A collection of madman's technical rambling

View on GitHub

PGP Key Signing

Last updated: 2017-10-31

Since there’s no central certrificate authority in PGP, users often sign each others’ keys to build a decentralized web of trust. This usually involves exchaning fingerprints of keys, verifying each others’ identities and e-mail addresses and signing each others’ keys afterwards.

Obtaining the key

To sign someone’s key, you have to import it to your local keyring. Users usually upload their keys to a keyserver to be able to conveniently exchange them. To obtain a key from a keyserver, issue the following command.

$ gpg2 --recv-keys $KEY_ID

Note that there are multiple popular keyservers and this contacts just one of them (as defined by your configuration). However, the major keyservers are synchronized with each other, so the key should be avaiable after some period of time, even if it was uploaded to a different keyserver.

Signing the key

You have the option to use trust signatures if you want to delegate trust. In this post, I’m using regular signatures and the classic trust model, in which you only trust the keys you’ve signed yourself.

After you’ve verified the fingerprint of the key, you can signed the associated uids. You should only sign the uids you’ve verified.

$ gpg2 --edit-key $KEY_ID
gpg> sign
gpg> save

Afterwards, you can check the signatures on a key.

$ gpg2 --list-sigs $KEY_ID

Publishing the signed key

Once you’ve signed someone’s key, you want to deliver the signed key back to them. You have the option to do it properly, by sending them the signed key in an encrypted e-mail sent to the e-mail address in the uid you’ve signed. This way you’ve verified the associated e-mail address is valid and has access to the private key, because they can’t publish and use your signature without access to the private key.

If you’ve verified their e-mail address in some other way, you can also just upload the signed key to the keyserver and they can download it afterwards.

$ gpg2 --send-keys $KEY_ID


Back to Index Feedback