Couple weeks ago, I participate in the "ApacheCon Keysigning Party", and that being my first "party" I was a little lost after the party, and I noticed couple of my friends were feeling the same way.Well, after some research, I gathered some steps that helped me and hopefully can help you as well.
What's a Keysigning party ?
If you have never been to a "Keysigning Party", you can read more about it here.
The Actual Signing of Keys
The best think to do is to use a tool to help you with the key sign steps. In my case, I've decided to use PGPSigner. See the README to more information about the tool.
Another piece of information you will use is the GPG keyring with all the public keys on the key list. For the purpose of this tutorial, let's call it keysigning-keyring.asc
You also will need your own private key, which you can get it using gpg --export-secret-key -a "User Name" > private.key
Now that you have all the required information, let's launch PGP Signer and sign the keys.
$ pgpsigner.sh
Welcome to PGPSigner V1.0
PGPSigner> partyring keysigning-keyring.asc
PGPSigner> list
... you should see a list of keys from the partyring ...
PGPSigner> signevent "Keysigning event"
PGPSigner> secretring private.key
PGPSigner> signkey 0xefb55df1
... this is your own key id ...
PGPSigner> unlock
... this will ask for your private key password ...
PGPSigner> sign
PGPSigner> mailserver smtp.domain.org
... this is your smtp server ...
... must allow sending without authentication/authorization ...
PGPSigner> mail
PGPSigner> quit
Goodbye
The steps above will load the keyring, sign keys using your private key, and mail them for the individual owners.
Importing signatures
First, let's check if anyone upload new signatures to a key server with the following command:
$ gpg --recv-keys EFB55DF1
gpg: requesting key EFB55DF1 from hkp server keys.gnupg.net
gpg: key EFB55DF1: "Luciano Resende (Code Signing Key) " 2 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new signatures: 2
If you received any keys via e-mail, just detach the .asc file and run the following command:
$ gpg --import 0xefb55df1.asc
gpg: key EFB55DF1: "Luciano Resende (Code Signing Key) " not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Submitting your signed key to a key server
$ gpg --send-keys EFB55DF1
gpg: sending key EFB55DF1 to hkp server keys.gnupg.net
Hopefully this will get your next Keysigning Party experience much simpler.
