2013 Project Week:PGP Keysigning
- Matt McCormick, Kitware
- Luis Ibanez, Kitware
- Hold a PGP Keysigning Party to create a web of trust for signed (trusted) code commits, signed (trusted) email communications, and encrypted data exchange.
- Individuals gather to create their PGP key and sign other's keys
- Instructions can be found below that follow The Keysigning Party HOWTO.
- Hans Johnson fingerprint: 680D EE90 07B7 74DD 96CB 3AE6 7938 0C24 20E5 AF35
- Matthew McCormick fingerprint: 7396 5496 63D9 CDDE 1267 BEC4 9812 65AD AF71 A174
- Luis Ibanez fingerprint: 2179 1878 5042 003C DA27 CA29 F8C5 5B60 D117 0A09
Session 1: Install GPG, Create an Encrypted USB Drive, Create Your Keys
The open source implementation of PGP (Pretty Good Encryption) is Gnu Privace Guard (GPG). It can be built from source, or binaries are available across platforms.
- On 'Linux' install gnupg with you package manager.
- On Mac install Mac GPG.
- On Windows or install Gpg4win.
Create an Encrypted USB Drive
Install Truecrypt. Encrypt a USB drive. This will be used to store the master key, which will not be key on your workstation for everyday use. For everyday signing and encryption, subkeys will be created from the master key. These keys can be retired and replaced if lost or compromised.
Create Your PGP Keys
In a shell:
mkdir -p ~/.gnupg
Edit the file ~/.gnupg/gpg.conf (Unix):
use-agent no-default-keyring keyserver keyserver.ubuntu.com keyring ~/.gnupg/pubring.gpg secret-keyring /encrypted_usb/secring.gpg #secret-keyring ~/.gnupg/secring.gpg # allow linux to write to FAT disks lock-never
on Windows, the file C:\Users\alice\.gnupg\gpg.conf, for example:
use-agent no-default-keyring keyserver keyserver.ubuntu.com keyring C:\Users\alice\.gnupg\pubring.gpg secret-keyring M:\secring.gpg #secret-keyring C:\Users\alice\.gnupg\secring.gpg # allow to write to FAT disks lock-never
In a shell (note: depending on the installation, the executable may be gpg instead of gpg2):
gpg2 --gen-key (1) DSA and Elgamal (default) ? 1 keysize? 4096 0 = key does not expire > 0 Real name: Alice Smith Email address: firstname.lastname@example.org Comment: ? O (passphrase)
After generating the key, a message will be printed contaning text like:
gpg: key BF71A174 marked as ultimately trusted
The identifier for the key is then BF71A174. This identifier will be used to edit the key. Next, an identifier with only your name is created.
$ gpg2 --edit-key BF71A174 > adduid Real name: Alice Smith Email address: Comment: ? O > quit save? y
Now, we create add signing subkey that expires.
$ gpg2 --edit-key BF71A174 > addkey (5) RSA (sign only) ? 5 keysize? 4096 valid for? 1y (add Google Calendar reminder to renew the key before it expires) > quit save? y
We also want to set encryption subkey to expire.
$ gpg2 --edit-key BF71A174 > key 1 > expire valid for? 1y > quit save? y
Generate a revocation certificate, and store it on the encrypted media.
$ gpg2 -a --gen-revoke BF71A174 > /encrypted_usb/gnupg_revoke_BF71A174.asc create for this key? y 0 = No reason specified ? 0 > Preemptive revocation generated during creation.
Optionally add additional user IDs with the commands adduid, uid, and primary. For more information, type help at the gpg prompt.
Backup public key to encrypted media for convenience.
$ gpg2 --export BF71A174 > /encrypted_usb/publickey.gpg
Save secret subkeys on local machine.
$ gpg2 --export-secret-subkeys > .gnupg/secring.gpg
Update gpg.conf with second secret keyring. Uncomment the secret-kring line specifying the local machine and comment the line that specifies the path on the encrypted usb.
#secret-keyring /encrypted_usb/secring.gpg secret-keyring ~/.gnupg/secring.gpg
Share your public key and fingerprint with the Keysigning party organizer (Matt McCormick). Create the fingerprint with
gpg2 --fingerprint > alice.smith.fingerprint.txt
Send this file to matt _dot_ mccormick _a_ kitware _dot_ com.
Upload your key to the keyserver with:
gpg2 --send-key BF71A174
Session 2: Verify Others Keys
Come to the key signing party with a pen. Sheets will be handed out with key fingerprints. Verify your fingerprint on the sheet. After verifying the identify of another person and their fingerprint, have them sign their name next to their fingerprint on the sheet.
Session 3: Digitally sign others keys
First, download their key from the keyserver:
gpg2 --recv-keys <Key_ID>
Get the fingerprint, and verify the key:
gpg2 --fingerprint <Key_ID>
Sign the key:
gpg2 --sign-key <Key_ID>
By convention, we send the signed key to its owner, and they upload it to the keyserver. To export the key
gpg2 --armor --output <Key_ID>.signed-by.<My_Key_ID>.asc --export <Key_ID>
Email them the file <Key_ID>.
If you received a signed version of your key, it can be imported with:
gpg2 --import <My_Key_ID>.signed-by.<Key_ID>.asc
The signatures can be listed with:
gpg2 --list-sigs <My_Key_ID>
Send the new signatures with:
gpg2 --send-keys <My_Key_ID>