This is a quick guide to participating in a key-signing party using the gpg command line program on GNU/Linux.
Before you can participate in a keysigning party, you need a key.
Generate a key pair:
gpg --gen-key
Choose the default (DSA and Elgamal)
Since you want your key pair to be safe, it is a good idea to choose the largest possible key size (4096)
You don't really need to set a key expiry period, so choose the default (0)
Enter your full name, preferably just as it appears on your proof of ID
Enter your email address, this must be your real email address!
If you have more than one email address, choose the one you prefer to use, others email addresses can be associated with this key pair later.
Choose a strong passphrase!
For some help on choosing a strong passphrase, see Wikipedia: Password Strength
GPG will now generate your key pair. During this process, it needs random data to make it truly unique. Random data is gathered from keyboard input, mouse movement, and other actions, so do something else with your computer for a moment. After a short time, GPG will have finished creating your key.
GPG stores its keys in keyring files, typically one public and one private keyring.
Your public keys are stored in ~/.gnupg/pubring.gpg
Your secret keys are stored in ~/.gnupg/secring.gpg
To find information about all the keys in your keyrings:
gpg --list-keys --fingerprint
To find information about only your keys:
gpg --list-secret-keys --fingerprint
pub 1024D/01234567 1996-06-10 Key fingerprint = 0995 ECD6 3843 CBB3 C050 28CA E103 6EED 0123 4567 uid Tux T. Penguin <tux@kernel.org> sub 4096g/FEDCBA98 1996-06-10
This key will represent your key in following examples, replace its values with those from your key.
Make sure you keep your private key and passphrase safe!
Never write down or tell anyone your key password.
Remember your passphrase and don't lose your private key. You will not be able to access your encrypted data without both of them!
Make sure the permissions of your private keyring file prevent all access by other users.
If you have a safe or lock-box, consider printing out a copy of your public and private keys and storing it there, but commit your passphrase to memory.
In order for other people to send you encrypted data or verify your signatures, you must share your public key with the world. There are several keyservers you may use for this at no cost.
Specify a default keyserver:
If it does not already exist, create the file ~/.gnupg/gpg.conf
Add the line of text:
keyserver hkp://subkeys.pgp.net
Send your public key to the keyserver:
gpg --send-keys 01234567
All the keyservers periodically synchronize with each other, so you only need to send your key to one of them. It is therefore best to send your key to the keyserver several days ahead of the signing party so it will have propagated to every keyserver.
Make a text file containing information about your public key:
gpg --fingerprint 01234567 >> key.txt
Repeat this command or use a text editor to add enough copies of your key information to this file to fill one page.
By default, 6 lines of text are printed on an inch of paper, so you can usually fit 12 copies of your key information per page of US Letter paper.
Print the file:
lp key.txt
Print as many pages as you will need to give one copy of your key information to each participant.
Cut the pages into strips, with one full set of key information on each strip.
If you have your own business cards, consider having your key ID printed on them.
For the party, you will need these strips and an official photo ID, such as a driver's license or passport.
You now have the printed public key information from the other participants.
Example key IDs for the other participants will be E4758D1D, C27659A2, and 09026E7B. Replace these IDs with the key IDs you received from the other participants.
Find the key ID numbers on each printout and get the public keys from the keyservers:
gpg --recv-keys E4758D1D C27659A2 09026E7B
Sign a key:
gpg --sign-key E4758D1D
If a key has multiple user IDs, GPG will ask if you want to sign all of them. Unless they seem suspicious to you, It is usually alright to sign all of the user IDs.
Compare all of the information displayed by GPG with the information on the paper, only sign the key if it matches exactly.
GPG will ask for the passphrase for your secret key, enter it and GPG will sign the other person's key with yours.
Repeat this procedure with the other keys.
gpg --sign-key C27659A2 gpg --sign-key 09026E7B
Instead of sending the signed keys back to the keyserver, send each key to its owner via email.
Export each key signature:
gpg --armor --outputE4758D1D.signed-by.01234567.asc --export E4758D1D gpg --armor --outputC27659A2.signed-by.01234567.asc --export C27659A2 gpg --armor --output09026E7B.signed-by.01234567.asc --export 09026E7B
Use your preferred email program to compose messages to the email address from each key's user ID and attach the corresponding signature file.
If possible, have your email program encrypt these messages with the corresponding keys.
Once you have received signature files from the other participants, import them into your keyring:
gpg --import01234567.signed-by.E4758D1D.asc gpg --import01234567.signed-by.C27659A2.asc gpg --import01234567.signed-by.09026E7B.asc
You should see the signatures with:
gpg --list-sigs 01234567
Send your key to the keyserver:
gpg --send-keys 01234567
That's it, your key is now signed and you have enlarged your web of trust.
GPG comes with a manual page, which describes how to use it. View it with:
man gpg
For more information on keysigning parties, see The Keysigning Party HOWTO
For more information on GPG, see The GnuPG Documentation