[clue-tech] Some thoughts about GnuPG (installfest hotwash).

[David L. Anselmi]

Here's a summary of SFD.  I still plan to post on what I did to make my key (for "extra security"), 
and also how I used my "extra secure" key to do the signing.

We had a good turnout for SFD/installfest.  There were around 16 people--not a record but not too 
shabby.  Although a few people got some real work done I counted 10 that participated in the key 
signing.

We spent a while walking through creating keys for those who didn't have them.  Unfortunately there 
was a lot of jumping back and forth between web pages that had the high level steps vs. those with 
the low level steps so I can't send a link to what exactly we did.  I'll try to put all my notes 
together so we have them in the future (I should get a blog for that sort of thing).

David L. Anselmi wrote:
> * Now follow the steps at this link.  When you get to the part about uploading keys, use the command:
>
>       gpg --keyserver pgp.mit.edu --send-keys<key id>
>
>       http://commandline.org.uk/command-line/ten-steps-for-attending-a-keysigning-party/

Several people have already uploaded their signatures, so you can see them on your keys.  To update 
your keyring with the latest, do:

   gpg --keyserver pgp.mit.edu --refresh-keys

and that will get the latest sigs for all keys on your keyring.  If you only care about your key you 
can put the id at the end of the command.

You can see the sigs on a key with:

   gpg --list-sigs <id>

Finally, I've signed all the keys I got fingerprints for but rather than upload them I'm going to 
add a step to set the example of what can be done (the Debian signing parties work this way).

I'm going to use the caff program (from Debian's signing-party package) to encrypt and email the 
sigs I made to each key's email address.  Then the owner will have to decrypt the sig, import it, 
and upload it.

That will prove that the email address and private key are accessible by the same person.

Dave