-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So we've had the key-signing party, and I've got this list of
fingerprints that are confirmed to belong to the faces that they're alleged
to belong to. I'm now in the process of figuring out what to do with these.
What I've worked out so far is (and people who are more familiar with the
software, correct me if I'm wrong):
First, fetch the key from the keyserver:
gpg --keyserver subkeys.pgp.net --search-keys "User ID"
Next, sign the key (checking that the fingerprint reported matches
the one confirmed at the meeting):
gpg --sign-key "ABCD1234"
Dump the signed key into text format to insert into an email (I just
capture this command's stdout directly into my email editor):
gpg --armor --export "ABCD1234"
... and email to the owner of the key in question. On the other end,
the key owner can take the email and add the signature to his key ring by
piping the email into:
gpg --import
And then add the new signature to the keyserver with:
gpg --keyserver subkeys.pgp.net --send-key "ABCD1234"
Now, this seems to work okay for people who have only one UID/email
on their keys (and those of you who only provided one should have key
signatures produced by this method from me in your inboxes). Where I'm stuck
is in figuring out whether it's possible (or, indeed, desirable) to
separately sign each of the UIDs on a multiple-UID key, but send *only* the
signature for that specific UID to the email associated with that specific
UID.
For instance, given Anthony Carrico's key, with its four different
UIDs, I'm wondering if I can sign each UID, but send *only* the signature
for <[log in to unmask]> to <[log in to unmask]>, and *only* the
signature for <[log in to unmask]> to <[log in to unmask]>, and so on,
thus ensuring that the signed UID only makes it to the keyserver if that UID
is, in fact, functional.
I think I've worked the first half of that out. Using the above
command for signing the key works for multiple-UID keys, too, though doing
anything but signing all UIDs requires going through a sub-interface that's
a little obtuse and poorly explained (type "uid #" to select a UID, then
"sign" to sign selected UIDs). I can't figure out, though, how to export
only one of the signed UIDs. Attempting this - for example, signing
<[log in to unmask]> but not <[log in to unmask]> and then doing "gpg
- --armor --export" using the email for each - produces identical output,
which I have to assume means that it's exporting the entire key, not just
the specific UID. I'm guessing I could do it by signing each UID in turn,
exporting the signed key, then revoking the signature and doing the next
one, but that seems unnecessarily silly.
Anyone got any suggestions? Or should I not worry about this and
just ship all signed UIDs to the primary email?
On a completely different tangent, given the number of people who
weren't able to come last night, or brought the wrong fingerprint, or
whatever should we perhaps plan on doing this again soon? If not a dedicated
key-signing party, at least passing around fingerprints in the background
while doing something else?
- --
John Campbell
[log in to unmask]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD9lzBPu/PJk2ePZ0RAuPwAJ0RElpno3l1F9WomIOpmkJK7farcwCeN9UV
Sk1XSccQjL4xKPGI5tibWo8=
=AuD+
-----END PGP SIGNATURE-----
|