Tom Rothamel >> GnuPG Talk Part II

GnuPG Talk Part II: Key Signing and Manual Use

Tom Rothamel <tom-keysigning@onegeek.org>

Important Note

The instructions given out at the last meeting were incorrect. Please re-export your keys using the command 

    gpg --export -a <keyid> > <keyid>.key.asc

and send it to tom-keysigning@onegeek.org. Thanks!

Key Signing

Getting Ready to Sign Keys

  1. Download the keyring from my web site at http://onegeek.org/~tom/talks/
  2. Import it into GnuPG using the command 
        gpg --import lilug-keyring.asc

For Each Key Listed

The following steps should be repeated for each key given, and comprise the actual signing process.

  1. Decide if the owner has proven his identity to you enough for you to justify signing his key. If he hasn't don't do it. Skip to the next key instead.
  2. Start editing the key. Use the command 
        gpg --edit-key <keyid>
    The keyid is the hexadecimal number to the right of the slash in the key fingerprints given in this handout. For example, the keyid for Tom Rothamel's key is 7CEFE79F.
  3. Gnupg will prompt for a command. Give it the 'fpr' command to show the fingerprint of the key. Make sure that the fingerprint matches the fingerprint given with this handout. If it doesn't, run 'quit' to abort.
  4. Sign the key by giving the 'sign' command. Gnu privacy guard will ask you if you really want to sign this key. Give it a 'y' to confirm your intentions, then give it your passphrase when it asks for it.
  5. Save your changes by entering the 'save' command. GnuPG will save the updated keyring and drop you back to the prompt.

Once You're Done

Once you're done, you'll want to export your keyring with the signed keys. You can do that with the command: 

    gpg --export -a > lilug-keyring.signed.asc

You'll then want to send it to me at <tom-keysigning@onegeek.org>, so I can collate the keys into a master keyring file, which I'll announce on the Lilug list.

Manual Use of GnuPG

Now that you have signed keys, you can encrypt messages to and from people who's keys you've signed.

Please note that all of these commands support the '-a' option, which causes the output to only be ASCII characters. Generally, that's a good thing, and all the examples given will have the '-a' argument already appended.

To encrypt a message to a list of recipients, use a command like 

  
   gpg --encrypt -a -r <recipient> [-r <recipient> ...] message.txt

This will cause a file message.txt.asc to be created that is encrypted to the given recipients. The recipient can be given as a keyid or an email address.

To decrypt that file, use the command 

   gpg message.txt.asc

GnuPG will prompt you for your passphrase and will decrypt the message, provided that you were listed as one of the recipients when you began encrypting it.

To sign a message, use the command 

   gpg --clearsign signme.txt

Which will prompt you for a passphrase and then create the file signme.txt.asc with your message in plaintext and a signature attached. The signature can be verified using the command 

   gpg --verify signme.txt.asc

Messages can also be signed and encrypted using the command 

   gpg --sign --encrypt -a [-r <recipent> ...] message.txt

These messages are decrypted in the normal way.

If you have problems, don't hesitate to send email to me, Tom Rothamel, at tom-keysigning@onegeek.org.