Note: This page is for planning a keysigning party hosted by LUG@UCLA.
A keysigning party is an event for helping people verify each others' PGP keys and strengthening the web of trust.
- take control of your privacy
- meet other interesting members of the privacy-aware community
- learn about cryptography technologies widely used in industry
- eat pizza
LUG@UCLA's keysigning party uses a slightly modified version of the Sassaman-Efficient method.
- Where: Boelter Hall 4760
- When: TBA
- Generate your PGP keypair if you haven't already:
$ gpg --gen-key
WARNING: make sure you understand the implications of holding a private key, e.g. do not generate it on a computer you don't own and have full control over.
- Sync your public key with the keyservers:
$ gpg --send-keys <your key ID>
WARNING: this is irreversible. Make sure you are prepared to protect your private key and you are using a very strong passphrase.
- Figure out your key fingerprint and RSVP:
$ gpg --fingerprint <your name or key ID>
- Go to RSVP page: https://linux.ucla.edu/keysigning/
- 24 hours before the party, we will make available the final keylist and keylist checksum which you should download:
$ wget https://linux.ucla.edu/keysigning/lists/keylist.txt $ wget https://linux.ucla.edu/keysigning/lists/keylist.txt.sha1
- Make sure your key fingerprint is on the list next to your name.
- Locally verify the checksum:
$ sha1sum --check keylist.txt.sha1
- Append the checksum to the bottom of keylist.txt:
$ cat keylist.txt.sha1 >>keylist.txt
- Print keylist.txt and keep safe. For your convenience, here is a printable version. Be sure the verify the checksum at the bottom of the page.
III. The Party
- Bring the following:
- printed copy of keylist.txt
- One or more forms of ID (e.g. drivers license + Bruin card)
- make sure the keylist.txt checksum at the bottom of your printout matches the checksum projected onto the wall.
- Together, we will iterate over the keylist and each participant will make a statement that their fingerprint is correct. Put a check mark next to each person that has stated that their fingerprint is correct.
- When we finish going through the list, break formation and individually go to each person on your keylist to verify their identity. Add a second check mark next to each person that you verify. This indicates that you really believe they own that key.
- Keep your keylist printout safe.
- Don't forget to eat pizza!
IV. After the Party
- Retrieve your annotated keylist printout.
- Import the key of every person on the list with two check marks:
$ gpg --recv-keys <key ID 1> <key ID 2> ... <key ID N>
- For every key with two check marks, indicate your level of trust and sign the key:
$ gpg --edit-key <their key ID> gpg> trust [...] 1 = Don't know 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully Your decision? 3 gpg> sign
- Send all your new key signatures to the keyservers:
$ gpg --send-keys <key ID 1> <key ID 2> ... <key ID N>
This strengthens the web of trust!
Q: How do I install GnuPG (gpg)?
A: Most open source operating systems will include GnuPG by default. If GnuPG is not installed, and isn't provided by your operating system vendor, you should seriously consider switching to a better operating system. Come to LUG during Tutoring hours or attend our next Installfest and we will help you install GNU/Linux on your computer.
Q: Can't I just generate my PGP keypair on SEASNet lnxsrv?
A: NO! You must protect your private key. Generate it on your personal computer running an open source operating system. Virtual machines don't count.
- write a simple RSVP web application (in progress: https://linux.ucla.edu/git/?p=keysigning-party.git)