---------------- ------##--------\ ----######------ \ ---###--####---- \ .db. --##-----###---- \ ,P""q. -###---- -###--- \ ( )XXxxxxxxxxX -##--- | "b ,d" -##--#--X -##--- | Key-signing instructions for Extremadura workmeeting 2007. "##" -##--#-# -#---- | ======================== -##--#----#----- | by --#---####------ | Christoffer Kugg Jerkeby --##------------ | ---#------------ / ---###---------- / -----###-------- / ----------------/ Prerequisites: * A working pgp-key * A Working gnupg setup. * The password for your secret pgp-key. * A passport or identification card. If you already have caff or equalent you can jump down to the mta part. If you already have a local mta configured too you may jump down to the keysigning part. Else, go ahed and start reading. Installing caff. Introduction. caff is a script that helps you in keysigning. It takes a list of keyids on the command line, fetches them from a keyserver and calls GnuPG so that you can sign it. It then mails each key to all its email addresses - only including the one UID that we send to in each mail. Install the package signing-party to get caff. apt-get install signing-party Configure Caff. Open your .caffrc and add the following: editor ~/.caffrc $CONFIG{'owner'} = 'yourname'; $CONFIG{'email'} = 'youre_mail_associated_with_your_key@domain.es'; $CONFIG{'keyid'} = [ qw{your_key_id_taken_from_the_pgp.email_file} ]; #ex. $CONFIG{'keyid'} = [ qw{FA9A3D63602A2400} ]; which is the end of my (kugghjul@gmail.com) fingerprint (FA9A 3D63 602A 2400) Save the file and testrun `caff`, you should see the syntax help for caff in case you set up the .caffrc file correctly. INSTALLING A Mail Transfer Agent Imo the easiest MTA to set up is msmtp. Execute bellow commands to install msmtp. apt-get install msmtp-mta To configure your msmtp for your useraccount run: editor ~/.msmtprc host auto_from off maildomain auth off tls off from syslog on tls_certcheck off Save the file and try it out by running the mailcommand as follows. echo "The mailsetup seems to work. Yay!" | mail -s mailtest ============================================================== .db. ,P""q. SIGNING THE KEYS---------------. ( )################### | "b ,d" ##### \|/ "##" ##### V 1. Identify a individual. It is of high importance that the individual whom's key you intend to sign has a valid identification and that you can conform that individuals identity _before_ you sign the key. Also make sure to have your own identification card or passport ready to be used for other to verify your identity. 2. Verify key-ID and fingerprint. 2.1 It is a good idea to have your own key-id, name and email printed on a buissinescard or something similar. 2.2 In our case we will verify the Key-ids right of out laptop screens. So you will have to look in to the pgp.email file to verify that your key-id is correct. 2.3 The individual whose key you intend to sign should state that their fingerprint is correct in that very same file. 2.4 Toghether we will verify that the md5sum of the pgp.email is correct (551c1aaa88e9c035572a472f80b31c7a) to be able to confirm the authenticity of the file. 3. Sign with caff Do not enter this step until every previous steps are performed. To start the signing process runn the caff application with the key-id as an option. caff 3.1 Confirm signature Confirm the email, name and key-id one final time. If you belive the signature to be valid, sign it by writing Yes 3.2 Authenticate yourself Enter your secret-key's password when asked to do so. The key will now be signed and added to your keyring. 3.3 Deliver key-signature To deliver the caff signature to the user whose key you just isgned answer yes to the question if you want to send the key to the user. Caff will now send the signature in a default message encrypted with the reciepients public key to the reciepients email adress accosiated with the key. 4. Sending the signed key to a keyserver. Once someone has signed your key and has delivered their key to your email inbox you should get decrypt the email and send it to the keyserver. 4.1 Copy the encrpted message in to a file. cat > signed.gpg << EOF EOF 4.2 Decrypt the message Decrypt the encrypted message sent to you thusly. gpg --decrypt signed.gpg > cleartext.txt 4.3 Import the key To import the signature of your public key into your keyring run the following. gpg --import cleartext.txt 4.4 Sending your key updated to the keyserver. gpg --keyserver pgp.rediris.es --send-key 5 Thank you for building the web of trust. Thats it good luck, if you have any questions feel free (as in beer) to bother me on kugghjul@gmail.com.