diff options
Diffstat (limited to 'content/posts/2019/2019-02-03-how-to-sign-pgp-keys.md')
| -rw-r--r-- | content/posts/2019/2019-02-03-how-to-sign-pgp-keys.md | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/content/posts/2019/2019-02-03-how-to-sign-pgp-keys.md b/content/posts/2019/2019-02-03-how-to-sign-pgp-keys.md new file mode 100644 index 0000000..d5f401a --- /dev/null +++ b/content/posts/2019/2019-02-03-how-to-sign-pgp-keys.md @@ -0,0 +1,141 @@ +--- +title: How to sign PGP keys +date: 2019-02-03 +tags: +- PGP +- Tutorial +--- + +Having attended [FOSDEM](https://fosdem.org/2019/) last weekend, I have been +asked to help some people out with signing PGP keys. As it is an international +gathering of users and developers of all levels of expertise, it's a great event +to get your key out in to the wild. While helping people out, I figured it might +be even easier next time around to just refer to a small tutorial on my blog +instead. + +## Creating a PGP key + +The first step to sign keys, is to have a PGP key. If you already have one, +you're good to go to the next part of this tutorial. If you don't, you can check +out the `gpg` manual on how to create a key, or read about key creation in my +[article on using PGP with a Yubikey][yubikey-pgp-article]. While I would +strongly suggest reading at least some material, `gpg` does quite a good job of +guiding you through the process without prior knowledge, so you can just get +started with `gpg --generate-key` as well. + +[yubikey-pgp-article]: {{ "/post/2018/09/04/setting-up-pgp-with-a-yubikey/#creating-pgp-keys" | prepend: site.baseurl | prepend: site.url }} + +## Create key slips + +A *key slip* is a small piece of paper containing some basic information about +the PGP key. They're exchanged when people meet, so they don't have to +immediately sign the key, but can do it safely at home. When you're signing in a +group, this may be faster to work with. Another benefit is that some people +don't have their private keys with them. They can then just collect the key slips +from the people who's key they want to sign, and sign it whenever they are in +possession of their private key again. + +A key slip doesn't have to contain much. A key ID, fingerprint, email address and +a name is plenty. For reference, my key slips look as follows: + +```txt +Patrick Spek <p.spek@tyil.nl> rsa4096/0x7A6AC285E2D98827 + 1660 F6A2 DFA7 5347 322A 4DC0 7A6A C285 E2D9 8827 +``` + +## Verifying the owner + +Before you sign anyone's public key, you should verify that the person is +actually who they say they are. You can easily do this by asking for government +issued identification, such as an ID card, driver's license or passport. What +constitutes good proof is up to you, but in general people expect at least one +form of government issued identification. + +If the person can't verify who they are, you should *not* sign their key! + +## Retrieving their key + +Once you have verified the person is who they say they are, and you have +received their key slip containing their key ID, you can look up their key +online. You can let `gpg` do all the work for you in searching and downloading +the key, using the `--search` switch. For instance, to retrieve my key, do the +following: + +```txt +gpg --search-keys 0x7A6AC285E2D98827 +``` + +If a result has been found, you are prompted to enter the numbers of the keys +you want to download. Make sure you download the right key, in case multiple +have been found! + +After retrieving the key, you can see it in the list of all the keys `gpg` knows +about using `gpg --list-keys`. + +## Signing their key + +To actually sign their key, and show that you trust that the key belongs to the +person's name attached to it, you can use `gpg --sign-key`: + +```txt +gpg --sign-key 0x7A6AC285E2D98827 +``` + +You will be prompted whether you are sure you want to sign. You should answer +this with a single `y` to continue. + +After signing it, you'll have signed a PGP key! You can verify this by looking +at the signatures on a given key with `--list-sigs 0x7A6AC285E2D98827`. This should +contain your name and key ID. + +## Exchanging the signed key + +While you could publish the updated public key with your signature on it, you +should **not** do this! You should encrypt the updated public key and send it to +the person that owns the private key, and they should upload it themselves. One +reason for this is that it allows you to safely verify that they do in fact +actually own the private key as well, without ever asking them explicitly to +show you their private key. + +To export the public key, use `--export`: + +```txt +gpg --armor --export 0x7A6AC285E2D98827 > pubkey-tyil.asc +``` + +The `--armor` option is used to export the key as base64, instead of binary +data. + +You can attach this file to an email, and let your email client encrypt the +entire email and all attachments for they key ID. How you can do this depends on +your email client, so you should research how to do this properly in the +documentation for it. + +However, it's also possible to encrypt the public key file before adding it as +an attachment, in case you don't know how to let your email client do it (or if +you don't trust your email client to do it right). + +You can use the `--encrypt` option for this, and add a `--recipient` to encrypt +it for a specific key. + +```txt +gpg --encrypt --recipient 0x7A6AC285E2D98827 < pubkey-tyil.asc > pubkey-tyil.pgp +``` + +Now you can use this encrypted key file and share it with the owner of the key. +If the person you send it to really is the owner of the key, they can use the +private key to decrypt the file, import it with `gpg --import` and then publish +it with `gpg --send-keys` + +## Winding down + +Once all this is done, other people should have sent you your signed pubkey as +well, and you should have published your updated key with the new signatures. +Now you can start using PGP signatures and encryption for your communication +with the world. People who have not signed your key can see that there's other +people that do trust your key, and they can use that information to deduce that +whatever's signed with your key really came from you, and that anything they +encrypt with your public key can only be read by you. + +With this [trust](https://en.wikipedia.org/wiki/Web_of_trust), you can make +communication and data exchange in general more secure. |