OpenPGP is a standard that is implemented by several applications. There is the PGP application, which is commercial, but one of the most common is GPG (Gnu Privacy Guard) which is what we'll be using in this how-to.
How you install GPG is largely system-specific. The main thing to note is that you should be installing a fairly current version of GPG. You want at least GPG 2.1.
If your operating system's package manager doesn't provide a version of GPG that is at least 2.1, you can download a binary distribution from https://gnupg.org/download/.
Here are the package install commands for some common OSes.
Check that you've got at least GPG 2.1. Your input is in blue, below. The output of gpg is in bright white.
If it's not 2.1 or later, go back and download a binary distribution to install.
Run gpg and create a key.
When you say Okay to your entries, you'll be asked to enter a passphrase. Choose a strong, but easy to remember passphrase and set it.
REMEMBER: if someone gets a copy of your key, this passphrase is the only thing between them and their ability to impersonate you or read all of your encrypted email!
Also remember, if you forget this passphrase, you will lose access to your key.
Once you set a passphrase, GPG will begin generating your key. To do this, it needs a large amount of entropy, or randomness, in order to generate some good large prime numbers. This may take a while, and GPG may ask you to create some activity on your computer in order to help its random number generator.
The default key generation option doesn't let you set the expiry date of your key, or the algorithm, or key size. If you want to set these things you'll need to declare yourself an expert using the --full-generate-key option.
If you change anything from the defaults, be sure you know why you're doing it and what effect it might have.
Don't pick an expiry date too far in the future, don't make your key size too small, and don't pick an algorithm that nobody else can make use of!
Once GPG is done generating your key it will show you the new key's details, and exit.
The long hex string in the key info is your key's fingerprint. You can also get that in an easier-to-read format by explicitly asking for it.
Extract an ASCII text file that contains your public key.
The -a option causes GPG to output ASCII instead of binary data. The -o option specifies an output file.
Email the output file as an attachment to firstname.lastname@example.org by 09:00 Friday morning.
It's important to send the file as an attachment, because some mail clients can cause formatting problems with the key data that make it hard to import.
Don't be late, or your key won't be included!
Just before morning break on Friday, everyone's keys will be posted as a single export file in the Indico agenda for the key signing at https://indico.dns-oarc.net/event/32/contributions/739/
Download this key file (keyring.asc) and its checksum file (keyring.md5). We'll make an announcement when these files are ready to be downloaded.
You'll need to take a few steps to confirm that the fingerprint for your key in the exported keyring is correct. It's important that you verify that it's your key in the keyring!
First, import the keyring into an alternate keyring file in gpg.
Compare the fingerprints from your standard keyring with the one you just imported.
Now all you need to do is show up at the key signing, on Friday during lunch. We'll be in the plenary room (where the rest of the conference has been) at 13:10.
Bring with you:
We will do three things during the key signing:
We will post a checksum of the keyring file on the screen. Generate an md5 cheksum of the keyring.asc file you downloaded and make sure it matches.
Everyone will state which key is theirs in the keyring (usually by calling out an email address in the key ID) and will state whether the fingerprint in the downloaded file is correct.
Use the paper or note taking app you brought to take notes!
We'll form a sports "handshake circle" for everyone to check ID. Confirm that the people whose keys you're signing are who they say they are!
That completes the face to face portion of the key singing party!
Everyone can go home and sign keys, then email the signed keys back to their owner, at their leisure.
Watch this space for some instructions on using caff to automatically sign keys!