GnuPG signing party

This document summarizes how to host a GnuPG signing party. For a more detailed description that considers how to store keys and how to handle large parties, see The Keysigning Party HOWTO.

1. If you do not yet have a set of keys, generate them. Run gpg --full-generate-key. Select the default key type, select the default curve or number of bits, indicate a lifetime of five years, and provide your full name and email address.

2. Obtain your key’s identifier (MY-ID) by running gpg --list-secret-keys. The identifier is comprised of 40 hex digits.

3. Optionally edit the key to add additional email addresses you own. Run gpg --edit-key MY-ID, and execute adduid and save.

4. Export your key by running gpg --armor --export MY-ID. Share this form of your key with the other key-signing attendees.

5. Prepare to confirm the other attendees safely received your key: Display your key’s fingerprint with gpg --fingerprint MY-ID. The fingerprint is comprised of 40 hex digits, and they are separated by spaces to make them easier for a human to read.

6. Import other attendee keys with gpg --import F, where F is a file containing their exported key.

7. Find each attendee’s key by running gpg --list-keys, and note its identifier (HIS-ID).

8. For each key identifier HIS-ID, run gpg --fingerprint HIS-ID. Verbally confirm the fingerprint with its owner. Once satisfied, run gpg --sign-key HIS-ID. This records that you have met the owner of the key, and that you confirmed the key is valid.

Now you can safely encrypt messages intended for the owners of keys you imported and verified. For example, encrypt the file F for the recipient bob@example.com by running the command gpg --encrypt --recipient=bob@example.com --compress-algo none --armor F.