PGP Key Signing

Signing someone's key is saying to the world I have verified the identify of this person to the extent which I put in the signing. I believe this key belongs to the name in it, and the email listed also belongs to that person. That's a pretty strong statement! As such there are certain precautions you should take.

First of all, let's assume for a moment you want to sign someone's key who you know at least well enough to know that they own the email address at hand. You'll want them to bring you a hard-copy of their fingerprint, and at least one form of photo ID. Lets discuss this a bit more:

Hard copy of their fingerprint This is to check that the copy of the key you have obtained either from a keyserver or email is actually the key this person uses and you haven't somehow gotten a forged key. Therefore, this should be generated by them on the machine that holds their secret key!. If you generate this by grabbing their key from a server and comparing it to what you're about to sign, then you're not verifying anything! Think about it: if you're trying to verify the integrity of something, you can't use that something to do the verification.
At least one form of photo ID This is to be sure that this person has the legal right to use the name they are using. It is up to you how much ID you want to see and to what level you will set your verification of the key during signing. In order to set full verification (3), I require two forms of legal ID, at least one of which is photo ID.

If you don't know they have the email address at hand, you can set up a method of verification to prove it. If you can correspond with this person easily, you can send a made up word or phrase to their email address encrypted to their key and make them tell you what the word or phrase was. The would ensure the person in control of that email also has the private key. If this is a key signing party, you can tell them they must send the reverse of whatever you word you send them encrypted back to you. So if you send them "ducks have feathers" they need to send you "feathers have ducks." You shouldn't tell them what you're going to send them, this defeats the purpose.

OK, enough with the politics, how do we sign?

Grab their key


$ gpg --search-keys them@something.com

Select the key you believe is theirs.

Verify their identity

Have them come to your office/room/whatever with their fingerprint on a piece of paper (they should generate this by doing gpg -K --fingerprint them@something.com on the machine with their secret key!) and photo ID. Then type:


$ gpg --fingerprint them@something.com

And have them read off their fingerprint. If what you see and what you hear match, then you know you have the correct key. Now make sure they are who they say they are (either with ID, or by knowing who they are). Once you are positive the key they use is the key you are about to sign (they have the same fingerprint), and they are who they say they are...

Sign their key


$ gpg --sign-key --ask-cert-level them@something.edu

pub  1024D/F00DDEAD  created: 2005-09-05  expires: 2006-09-05  usage: CS  
                     trust: unknown       validity: unknown
sub  2048g/BEEFDEAD  created: 2005-09-05  expires: 2006-09-05  usage: E   
[ unknown] (1). Them Something <them@something.com>


pub  1024D/F00DDEAD  created: 2005-09-05  expires: 2006-09-05  usage: CS  
                     trust: unknown       validity: unknown
 Primary key fingerprint: FEED F00D DEAD BEEF DEAD  BEEF F00D F000 000D DEAD

     Them Something <them@something.com>

This key is due to expire on 2006-09-05.
Do you want your signature to expire at the same time? (Y/n)

To this you should say yes.


How carefully have you verified the key you are about to sign actually belongs
to the person named above?  If you don't know what to answer, enter "0".

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

Your selection? (enter `?' for more information):

If you have seen two forms of ID, you're sure they own the email address in their key, and you've checked a hard copy of the fingerprint they generated from their own copy of the key, then you can choose 3. If you are not sure of one of these or haven't verified very thoroughly, you should choose 2 or 1 as appropriate.

After you choose your level, it will ask for your passphrase so it can unlock your private key to use it to sign their public key, and then you're done.

Provide them with their key

If you know the person has control over the email address in question, you can, if they're OK with it, simply upload their key to a keyserver now.


$ gpg --send-key them@something.com

However, if you don't, you should export the signed key and encrypt-email it to them. This will ensure that in order for them oto get the signed key the person who you verified to own the key also has access to that email address. You can export the signed key with:


$ gpg -a --export them@something.com

And put that in an encrypted email.

If there are multiple UIDs on the key it can be quite a pain to sign each one, export it, and email it off. So I've written a small script that will individually sign each UID on a key and dump the resulting signed keys to separate files. You can find it here.