| Signing GnuPG keys | ||
|---|---|---|
| <<< Previous | ||
Use gpg to display the fingerprint of the key, as stored in your public keyring on your home system. Carefully match the fingerprint with the one below - all characters in the key fingerprint must match exactly.
pub 1024D/28BCB3E3 2002-01-27 Neil Williams (CodeHelp) linux@codehelp.co.uk
Key fingerprint = 4CD4 6644 C105 48ED CA28 EC36 8801 094A 28BC B3E3
uid N Williams (CodeHelp) info@codehelp.co.uk
uid Neil Williams (Linux User Group) neil@dclug.org.uk
uid Neil Williams (general) neil@codehelp.co.uk
uid Neil Williams (Devon and Cornwall LUG) webmaster@dclug.org.uk
sub 1024g/AD3CB326 2002-01-27
To sign this key, you need to devide which User IDs you can personally verify as truly belonging to me. If you have retrieved my key to verify signed emails on the Devon and Cornwall Linux User Group mailing list, you should only sign the first UID as it is the only one to contain my subscribed email address. Only sign the other UIDs if you have personally verified that the email address in the UID belongs to me.
$ gpg --edit-key 28BCB3E3
Command> uid 1
(To sign my mailing list UID, toggle between other UID's if appropriate.)
Command> sign
You will be prompted to tell GnuPG how carefully you have checked this key. A level of 3 would indicate that you have verified the email address in the UID by a series of email messages and replies, that you have also verified the name in the UID using photo ID and that you have checked the fingerprint of the key with a printed copy given to you personally by the keyholder. Make your selection and confirm that you wany GnuPG to sign this key, putting in your passphrase to complete the signature.
Command>
Now edit the level of trust to indicate how much you trust me to validate other people's keys as carefully as you have verified mine. This will tell GnuPG how much you want to trust a key that I HAVE signed but you have NOT. It is a personal decision, but I do everything I can to verify keys before signing, including verifying email addresses, photo Id and key fingerprints from multiple sources, so I'd like to think that you would be comfortable to sign at a trust level of 4 - fully trusted. A trust level of 5 should be reserved for your own keys and 2 should probably be reserved for those people who seem to sign any and every key they find.
Command> trust
(Enter the trust level.)
Command> save
IMPORTANT: Please now export MY key to a public keyserver as it has now been updated with your signature. Other people cannot make use of your careful work in signing my key if you dont export it.
$ gpg --keyserver subkeys.pgp.net --send-key 28CB3E3
That's it!
| <<< Previous | Home | |
| Keys with only one user ID |