1. Start
  2. Add-Ons
  3. Keysigning at the Chemnitz Linux Days

Keysigning at the Chemnitz Linux Days

Date of key signing

The key signing party will once again take place during the Chemnitz Linux Days 2025. We will meet on Saturday, 22th March at 4.00 p.m. in room W1. We will compare the fingerprints of our PGP keys and thus extend our web of trust. We will use an official identity document to prove our identity.

What is keysigning?

Encryption of data or proving their integrity is necessary for various confidential issues. One solution of this problem is offered by GnuPG. By using GnuPG, you can create cryptographic keypairs. In the most cases these keypairs are associated with your name and email address in order to protect or digital sign your data.

As a personal key exchange is usually not possible, internet bases key servers provide a way to distribute for PGP keys. By means of contact data (e.g. E-Mail address) one can query for the public key of the recipients public key and use it in order to encrypt his email.

However how can this person ensure that the denounced key really is the appropriate one? Finally everybody is able to create a key by using any name. In order to obtain more security, so called key signing parties are held. This means that people will meet and compare their identity cards in order to ensure that the person related to the key and the person met in reality are the same. When this is clear they sign each others key.

Users alread using GnuPG are able to show a list of all signatures by typing the command gpg --list-sigs KEYID
(whereas KEYID stands for a distinct key name). As a rule of thumb, it can be assumed that a key is more trustworthy the more signatures it has.

We would like to meet at the Chemnitz Linux Days in order to verify the data of every participating key. The advantage of key signing at central events is the efficiency due to a congregation of many owners at a particular place. That strengthens everybody's web of trust.

Preparation

What do you have to do in order to take part in the key signing?

  • Create a keypair, if not already done. In case of using GnuPG type gpg --gen-key for generating a keypair. For further information read the HOWTO.
  • If you already own a key, it should be registered on a public key server.
  • Before keysigning, download the list of subscribers and verify that your key is included. If your key is not listed within two or three days, please get again in touch with the above-named address. The final list will be provided a few days before the Chemnitz Linux Days - All members of list will receive information via email.
  • Calculate the MD5, SHA1, and SHA256 hash sum of the list. This can be done by using the programs md5sum, sha1sum, or sha256sum from GNU Coreutils. Also GnuPG (gpg --print-mds $FILE) or another program can perform this task. The calculated value has to be entered into the appropriate field of the list and will be compared on day of keysigning.
  • Print out the list and bring it along with you when visiting the Chemnitz Linux Days.

Procedure of key signing

As already mentioned, the identity of every key owner has to be verified by means of an official document. Most appropriate are the identity card or passport. It should be valid on day of key signing.

However, on meeting we will start compare the calculated checksum for the list to ensure, everybody is using the last and correct version of the attendees list. If this was successful, we will verify the identities one after another by building up a row and moving around. So everybody have the chance to check each attendees identity.

After this has been done, you can sign all keys you trust in at the computer. Using GnuPG you have to type gpg --sign-key KEYID or gpg --edit-key KEYID in order to do that.

Further information

For further questions, please do not hesitate to get in touch with me.

My contact data are:

Email:
Frank Tornack
Matrix:
@bollerwagenpicard:tchncs.de

For additional information you can also read the GPG key signing party HOWTO