Keysigning party

From Wiki | LUG@UCLA
Jump to: navigation, search
Gnupg logo.svg
Date 2016-05-05
Time 18:00-19:00
Location BH 4760

A keysigning party is an event designed to help people verify each others' PGP keys, and strengthen the web of trust.

  • take control of your personal information
  • meet other interesting members of the privacy-aware community
  • learn about cryptography technologies widely used in industry

LUG@UCLA's keysigning party uses a relaxed version of the Sassaman-Efficient method.


The party will consist of a short talk about what PGP is, followed by the actual keysigning party procedure. Even if you don't care about the keysigning, you are welcome to come eat food. If you do wish to participate, follow these steps:

I. RSVP[edit]

  1. If you haven't already, generate your PGP keypair: $ gpg --gen-key
    WARNING: make sure you understand the implications of holding a private key:
    • DO NOT generate it on a computer you don't own and have full control over. See FAQ below for sterner warnings.
    • DO NOT store your private key on Dropbox, Sky Drive, or any other cloud storage service.
    • DO use a very strong passphrase (multiple words, aka "phrase")
  2. If you haven't already, sync your public key with the pgp keyservers: $ gpg --send-keys <your key ID>
    WARNING: this is irreversible. Make sure you are prepared to protect your private key and you are using a very strong passphrase.
  3. Go to RSVP page:
    • To check your fingerprint, use this command: $ gpg --fingerprint <your name>

II. Preparation[edit]

As a relaxation to the Sassaman-Efficient method, we won't require you to print the keylist yourself (we will provide it during the party). If you trust us not to tamper with the keylist, you won't need to do anything else.

If you want to verify and print your own copy however, follow these steps:

  1. 1 hour before the event we will close registration and finalize the keylist and checksum. Retrieve them as such:
    $ wget
    $ wget
  2. Make sure your key fingerprint is on the list next to your name.
  3. Locally verify the checksum: $ sha1sum --check keylist.txt.sha1
  4. Append the checksum to the bottom of keylist.txt: $ cat keylist.txt.sha1 >>keylist.txt
  5. Print keylist.txt and keep safe.

III. The Party[edit]

  1. Bring the following:
    • Some way of recalling your key fingerprint (e.g. on a piece of paper)
    • One or more forms of ID (e.g. drivers license, Bruin card)
  2. Receive the keylist from the host (or take out your own)
  3. Together, we will iterate over the keylist and each participant will make a statement that their fingerprint is correct. Put a check mark next to each person that has stated that their fingerprint is correct.
  4. As another relaxation to the procedure, the host will check each participant's identification and announce their authenticity. If you trust the host, put a second check mark next to the name of each person whom the host verifies.
    • If you don't trust the host or you want to be extra careful, you can personally verify each person's identity yourself.
    • Typically, simply doing an ID check and comparing the names is sufficient, but how you want to verify identity is up to you.
    • Add a second check mark next to each person that you verify. This indicates that you truly believe they own that key.
  5. Keep your keylist printout safe.
  6. Don't forget to eat pizza!

IV. After the Party[edit]

  1. You're almost at home stretch, but don't forget the most important part!
  2. Retrieve your annotated keylist printout.
  3. Import the key of every person on the list with two check marks: $ gpg --recv-keys <key ID 1> <key ID 2> ... <key ID N>
  4. For every key with two check marks, sign the key: $ gpg --sign-key <their key ID>
  5. Send all your new key signatures to the keyservers: $ gpg --send-keys <key ID 1> <key ID 2> ... <key ID N>
    This strengthens the web of trust!


Q: How do I install GnuPG (gpg)?
A: Most open source operating systems will include GnuPG by default. If GnuPG is not installed, and isn't provided by your operating system vendor, you should seriously consider switching to a better operating system ;). Come to the LUG Lounge or attend our next Installfest and we will help you install GNU/Linux on your computer.

Q: Can't I just generate my PGP keypair on SEASNet lnxsrv?
A: NO! You must protect your private key. Generate it on your personal computer, ideally running a free operating system such as Debian GNU/Linux. You may use a virtual machine, but be very sure that your host and guest OS haven't been breached.