Attending a PGP / GnuPG signing party

In today’s digital world, ensuring the authenticity and security of our communications is more important than ever. PGP (Pretty Good Privacy) and GnuPG (GNU Privacy Guard) are tools designed to provide secure encryption and decryption of data, playing a crucial role in protecting privacy and information. A key component of this security model is the “web of trust,” an informal network of users who verify and sign each other’s public keys. By hosting a PGP/GnuPG signing party, individuals can expand their web of trust, increasing the reliability of key verification and enhancing overall communication security. This guide offers practical steps, complete with GnuPG command examples, to help you host a successful signing party.

Before continuing, you should familiarize yourself with the concepts behind PGP/GnuPG, such as:

• Public/Private keys
• Encrypting content for someone else
• Signing your data and verifying signatures
• Key servers

This post does not cover those basics, but it’s really important that you feel comfortable with them in order to understand what you need to do.

Also, a while back I blogged about how to rotate and create subkeys for different use cases, you can read more here:

https://danielpecos.com/2019/03/30/how-to-rotate-your-openpgp-gnupg-keys/

Before the Party

Publish your public key

Check the instructions provided by the organizer of the key signing party. Sometimes you are requested to send your key to a specific email address a few days before the event, and sometimes you need to bring paper slips with your key details to hand over to other participants.

Likewise, sometimes the organizer will send you a file with the list of key details of the participants, but others you’ll be collecting paper slips from everyone with those details.

Double-check that you follow the correct steps detailed on the organization page.

But in any way, making your public key available on key servers is something nice, as it will ease the process of getting it signed. These are some of the most typical servers (usually these servers sync between each other, but you can manually send your key to as many as you want):

• keys.openpgp.org
• keyserver.ubuntu.org
• pgp.mit.edu
• keyserver.pgp.com

In order to publish your public key, you can use the following command:

gpg  --keyserver <server> --send-keys <your_key_id>

All the --send-keys and --recv-keys accept --keyserver to override your default key server (if any). I won’t be including this modifier in the following examples, but remember that’s an option if needed.

Prepare Key Information

Print out small slips of paper that contain your key’s fingerprint, your name, and email address. You should also include the key type (RSA, DSA, etc.), key size (2048-bit, 4096-bit, etc.), and the key’s full hexadecimal identifier. These slips can be handed out to others for key signing.

You can obtain those details via the following command:

gpg --fingerprint <your_key_id>

As an example, these are the details of my key:

$ gpg --fingerprint 0xE881015C8A55678B
pub   rsa4096 2019-03-27 [SC]
      31EF B482 E969 EB74 399D  BBC5 E881 015C 8A55 678B
uid           [ultimate] Daniel Pecos Martinez <me@danielpecos.com>
sub   rsa4096 2019-03-27 [E] [expires: 2024-03-25]
sub   rsa4096 2019-03-27 [S] [expires: 2024-03-25]

There are some tools that generate nice paperslip prints ready to cut:

• https://openpgp.quelltextlich.at/slip.html
• https://keysheet.net/
• gpg-key2ps(arch pacakge): gpg-key2ps <your_key_id> | ps2pdf - key_slips.pdf

Identity Verification

Bring a valid photo ID to the party for verifying identities. You should not sign any key whose ownership identity and fingerprint have not been verified face to face and with a valid identity document.

People will rely on your signature when trusting third parties, so it’s really important to take this seriously. The web of trust is as strong as its weakest link, so let’s try not to introduce any.

During the Party

Usually, the way the signing party works is by forming two lines, connected on both ends (so it’s really a flattened circle), and you interact with the person you have in front of you. At that moment, you should:

• Exchange key details, either by exchanging paper slips or by double-checking the provided key details with its owner
• Verify the owner’s identity with an official document ID.

At the same time, you’re taking these steps, the person in front of you should be doing the same thing, so have your key details and ID ready to share as well.

Once you’re done, you just rotate to the person next to the current one, so the whole circle of people moves in the same direction. The signing party will end once you’ve performed a whole rotation, gathering and validating all the other attendees’ details.

After the Party

Once back at home, it’s time to sign the keys of the people whose details you’ve successfully verified.

You can do it one by one, or you can use some of the many tools available to automate the process. For the sake of understanding, I’ll explain the manual steps to follow to sign each key one by one.

1. Retrieve the key from a public key server or from the list of provided keys. To fetch it from a key server, you have to use the following command:

gpg --recv-keys <key_id>

2. Verify that the key ID, fingerprint, name, and email match the ones you’ve validated during the party:

gpg --fingerprint <key_id>

3. Once verified, sign the key:

gpg --sign-key --ask-cert-level <key_id>

4. Finally, you can either email the signed key to its owner or publish it back to a public server. The public server will take care of merging signatures.

NOTE: as David Sardari mentioned in the comments, sending an encrypted mail to the owner with his key and signed by you, is probably a better way of double checking the email address of the owner, as well as letting him/her decide where to publish it (if at all)

Likewise, your key will hopefully be signed by multiple people, so keep an eye on your mailbox to see if someone is sending your key with their signature, or pull it from a keyserver to check if there are new signatures attached:

gpg --recv-keys <your_key_id>

Or to refresh all your keys in your keyring:

gpg --refresh-keys

Conclusion

A PGP/GnuPG signing party is not just a gathering; it’s a fundamental step in building a robust web of trust. This trust network is vital for verifying the authenticity of public keys, thereby enhancing the security of digital communications. By participating in such events and following these steps, you contribute significantly to a more secure digital environment. Spread the knowledge, expand the web of trust, and continue to uphold the principles of digital security. Happy signing!

References

• https://www.linuxdays.cz/2018/en/key-signing-party/
• https://security.stackexchange.com/questions/126533/why-shouldnt-i-bring-a-computer-to-a-key-signing-party
• https://ask.metafilter.com/92412/Help-a-PGPGPG-noob-hold-a-key-signing-party