From d93f1b5bd3f4bc28607d17f2a1e70fedd2827c97 Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Mon, 4 Feb 2019 14:49:26 +0100
Subject: Add tutorial on signing PGP keys

---
 _posts/2019-02-03-how-to-sign-pgp-keys.html | 165 ++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)
 create mode 100644 _posts/2019-02-03-how-to-sign-pgp-keys.html

(limited to '_posts')

diff --git a/_posts/2019-02-03-how-to-sign-pgp-keys.html b/_posts/2019-02-03-how-to-sign-pgp-keys.html
new file mode 100644
index 0000000..7efe1e2
--- /dev/null
+++ b/_posts/2019-02-03-how-to-sign-pgp-keys.html
@@ -0,0 +1,165 @@
+---
+title: How to sign PGP keys
+layout: post
+tags: PGP how-to key-signing key signatures tutorial
+description: >
+  A small tutorial on how to sign others PGP keys.
+---
+
+{% markdown %}
+Having attended [FOSDEM](https://fosdem.org/2019/) last weekend, I have been
+asked to help some people out with signing PGP keys. As it is an international
+gathering of users and developers of all levels of expertise, it's a great event
+to get your key out in to the wild. While helping people out, I figured it might
+be even easier next time around to just refer to a small tutorial on my blog
+instead.
+{% endmarkdown %}
+
+{% markdown %}
+## Creating a PGP key
+
+The first step to sign keys, is to have a PGP key. If you already have one,
+you're good to go to the next part of this tutorial. If you don't, you can check
+out the `gpg` manual on how to create a key, or read about key creation in my
+[article on using PGP with a Yubikey][yubikey-pgp-article]. While I would
+strongly suggest reading at least some material, `gpg` does quite a good job of
+guiding you through the process without prior knowledge, so you can just get
+started with `gpg --generate-key` as well.
+
+[yubikey-pgp-article]: {{ "/post/2018/09/04/setting-up-pgp-with-a-yubikey/#creating-pgp-keys" | prepend: site.baseurl | prepend: site.url }}
+{% endmarkdown %}
+
+{% markdown %}
+## Create key slips
+
+A *key slip* is a small piece of paper containing some basic information about
+the PGP key. They're exchanged when people meet, so they don't have to
+immediately sign the key, but can do it safely at home. When you're signing in a
+group, this may be faster to work with. Another benefit is that some people
+don't have their private keys with them. They can then just collect the key slips
+from the people who's key they want to sign, and sign it whenever they are in
+possession of their private key again.
+
+A key slip doesn't have to contain much. A key ID, fingerprint, email address and
+a name is plenty. For reference, my key slips look as follows:
+{% endmarkdown %}
+
+{% highlight text %}
+Patrick Spek <p.spek@tyil.nl>   rsa4096/0x7A6AC285E2D98827
+    1660 F6A2 DFA7 5347 322A  4DC0 7A6A C285 E2D9 8827
+{% endhighlight %}
+
+{% markdown %}
+## Verifying the owner
+
+Before you sign anyone's public key, you should verify that the person is
+actually who they say they are. You can easily do this by asking for government
+issued identification, such as an ID card, driver's license or passport. What
+constitutes good proof is up to you, but in general people expect at least one
+form of government issued identification.
+
+If the person can't verify who they are, you should *not* sign their key!
+{% endmarkdown %}
+
+{% markdown %}
+## Retrieving their key
+
+Once you have verified the person is who they say they are, and you have
+received their key slip containing their key ID, you can look up their key
+online. You can let `gpg` do all the work for you in searching and downloading
+the key, using the `--search` switch. For instance, to retrieve my key, do the
+following:
+{% endmarkdown %}
+
+{% highlight sh %}
+gpg --search-keys 0x7A6AC285E2D98827
+{% endhighlight %}
+
+{% markdown %}
+If a result has been found, you are prompted to enter the numbers of the keys
+you want to download. Make sure you download the right key, in case multiple
+have been found!
+
+After retrieving the key, you can see it in the list of all the keys `gpg` knows
+about using `gpg --list-keys`.
+{% endmarkdown %}
+
+{% markdown %}
+## Signing their key
+
+To actually sign their key, and show that you trust that the key belongs to the
+person's name attached to it, you can use `gpg --sign-key`:
+{% endmarkdown %}
+
+{% highlight sh %}
+gpg --sign-key 0x7A6AC285E2D98827
+{% endhighlight %}
+
+{% markdown %}
+You will be prompted whether you are sure you want to sign. You should answer
+this with a single `y` to continue.
+
+After signing it, you'll have signed a PGP key! You can verify this by looking
+at the signatures on a given key with `--list-sigs 0x7A6AC285E2D98827`. This should
+contain your name and key ID.
+{% endmarkdown %}
+
+{% markdown %}
+## Exchanging the signed key
+
+While you could publish the updated public key with your signature on it, you
+should **not** do this! You should encrypt the updated public key and send it to
+the person that owns the private key, and they should upload it themselves. One
+reason for this is that it allows you to safely verify that they do in fact
+actually own the private key as well, without ever asking them explicitly to
+show you their private key.
+
+To export the public key, use `--export`:
+{% endmarkdown %}
+
+{% highlight sh %}
+gpg --armor --export 0x7A6AC285E2D98827 > pubkey-tyil.txt
+{% endhighlight %}
+
+{% markdown %}
+The `--armor` option is used to export the key as base64, instead of binary
+data.
+
+You can attach this file to an email, and let your email client encrypt the
+entire email and all attachments for they key ID. How you can do this depends on
+your email client, so you should research how to do this properly in the
+documentation for it.
+
+However, it's also possible to encrypt the public key file before adding it as
+an attachment, in case you don't know how to let your email client do it (or if
+you don't trust your email client to do it right).
+
+You can use the `--encrypt` option for this, and add a `--recipient` to encrypt
+it for a specific key.
+{% endmarkdown %}
+
+{% highlight sh %}
+gpg --encrypt --recipient 0x7A6AC285E2D98827 < pubkey-tyil.txt > pubkey-tyil.asc
+{% endhighlight %}
+
+{% markdown %}
+Now you can use this encrypted key file and share it with the owner of the key.
+If the person you send it to really is the owner of the key, they can use the
+private key to decrypt the file, import it with `gpg --import` and then publish
+it with `gpg --send-keys`
+{% endmarkdown %}
+
+{% markdown %}
+## Winding down
+
+Once all this is done, other people should have sent you your signed pubkey as
+well, and you should have published your updated key with the new signatures.
+Now you can start using PGP signatures and encryption for your communication
+with the world. People who have not signed your key can see that there's other
+people that do trust your key, and they can use that information to deduce that
+whatever's signed with your key really came from you, and that anything they
+encrypt with your public key can only be read by you.
+
+With this [trust](https://en.wikipedia.org/wiki/Web_of_trust), you can make
+communication and data exchange in general more secure.
+{% endmarkdown %}
-- 
cgit v1.1