[free-software-melb] PGP key signing on Thursday

14 Nov 2011

      Hi all,

Sorry I can't reply to the message Ben just sent, since I only just
subscribed to the list. I'm going to kick off a discussion on Thursday
about PGP (Pretty Good Privacy -- i.e., the public key signing and
encryption system). I thought it would be useful to have a key signing
party at the same time. I've personally got just three signatures on
my key so it would be good to get some more.

If you have a PGP private key, please bring along your key fingerprint
to give to others. Maybe print a few copies to hand out (Ben has them
on his business card, which is what started this topic in the first
place) and/or bring some paper to write down other peoples'. Also
bring some ID such as a drivers' license -- technically nobody should
sign your key unless they see some ID.

To do this, just type

gpg --fingerprint <your name>

For example, I typed:

$ gpg --fingerprint Matt
pub   2048R/17CD4540 2010-07-28 [expires: 2012-07-27]
      Key fingerprint = D72A 85CC E446 FBA5 99E5  C2B1 F50F BA8E 17CD 4540
uid                  Matt Giuca 
uid                  Matt Giuca 
sub   2048R/204479B7 2010-07-28 [expires: 2012-07-27]

Write down the 40 digit string after "Key fingerprint" and bring it along.

Note: That's just an example. You shouldn't trust that the above
string is actually my fingerprint until you see me in person (that's
the whole point of PGP).

If you don't have a private key, maybe now is a good time to get one.
Install GnuPG (http://www.gnupg.org/) and then type:

gpg --gen-key

and follow the prompts. The default settings should be fine. Use your
real name (that appears on your driver's license) and a valid email
address that you control. Make sure you pick a strong password which
you haven't used elsewhere, and remember it. Afterwards, the contents
of your ~/.gnupg directory should be considered sensitive (although
nobody will be able to impersonate you unless they guess your secret
password as well). Then, upload your key to a keyserver:

gpg --list-keys
Find your key in the list. Your key ID is the part after the slash.
For me, this shows:
pub   2048R/17CD4540 2010-07-28 [expires: 2012-07-27]
uid                  Matt Giuca 
uid                  Matt Giuca 
sub   2048R/204479B7 2010-07-28 [expires: 2012-07-27]

So my key ID is 17CD4540.

gpg --keyserver keyserver.ubuntu.com --send-keys <your-key-id>

That's just an example keyserver. You can choose any one you like, and
they should all eventually synchronise your key.

Hope to see you on Thursday.

Matt Giuca
0x17CD4540