GnuPG signing party

This document summarizes how to host a GnuPG signing party. For a more detailed description that considers how to store keys and how to handle large parties, see The Keysigning Party HOWTO.

  1. If you do not yet have a set of keys, generate them. Run gpg --full-generate-key. Select the default key type, select the default curve or number of bits, indicate a lifetime of five years, and provide your full name and email address.

  2. Obtain your key’s identifier (MY-ID) by running gpg --list-secret-keys. The identifier is comprised of 40 hex digits.

  3. Optionally edit the key to add additional email addresses you own. Run gpg --edit-key MY-ID, and execute adduid and save.

  4. Export your key by running gpg --armor --export MY-ID. Share this form of your key with the other key-signing attendees.

  5. Prepare to confirm the other attendees safely received your key: Display your key’s fingerprint with gpg --fingerprint MY-ID.

  6. Import other attendee keys with gpg --import F, where F is a file containing their exported key.

  7. Find each attendee’s key by running gpg --list-keys, and note its identifier (YOUR-ID).

  8. For each key identifier YOUR-ID, run gpg --fingerprint YOUR-ID. Verbally confirm the fingerprint with its owner. Once satisfied, run gpg --sign-key YOUR-ID. This indicates that you have met the owner of the key, and that you confirmed the key is valid.