Commands we use for gpg keys

Mon, 07/02/2012 - 22:30 -- ross

We use a number of default commands for our gpg key creation and signing. The first thing you need to do is get a gpg or pgp key, if you haven't already. From the command line enter the following:

gpg --gen-key

You'll want to enter your key ID(entifier). Most people use their first and last name, though that isn't mandatory, and there is no need to enter a comment. You'll also want to enter the email address you expect to be associated with this key. Once you have a key, then you can sign people's keys. In order to sign someone's key, you'll need to retrieve the key from the keyserver. To do this, enter the following command:

gpg --search EMAIL_ADDRESS_OF_THE_PERSON

You should see something like this:

2 ross@virilio:~$ gpg --keyserver pgp.mit.edu --search XXXX@mayfirst.org
gpg: searching for "XXX@mayfirst.org" from hkp server pgp.mit.edu
(1)	Jamie McClelland 
	Jamie McClelland 
	Jamie McClelland 
	  4096 bit RSA key 5F2E4935, created: 2009-05-10
(2)	Jamie McClelland 
	Jamie McClelland 
	Jamie McClelland 
	  1024 bit DSA key 76CC057D, created: 2004-01-23
Keys 1-2 of 2 for "XXXXX@mayfirst.org".  Enter number(s), N)ext, or Q)uit > 

Now choose the number of the correct key. Once you've imported the key and are ready to sign you can issue this command:

gpg --edit EMAIL_ADDRESS_OF_THE_PERSON

This should drop you into a gpg shell that looks like this:

0 ross@virilio:~$ gpg --edit jamie@mayfirst.org
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  1024D/76CC057D  created: 2004-01-23  expired: 2010-06-02  usage: SC  
                     trust: full          validity: expired
sub  1024g/77A37458  created: 2004-01-23  expired: never       usage: E   
sub  2048R/A3B19A3D  created: 2008-06-19  expired: 2009-06-19  usage: A   
[ expired] (1). Jamie McClelland 
[ expired] (2)  Jamie McClelland 
[ revoked] (3)  Jamie McClelland 

gpg> 

If you type help you can see a list of available commands.

In order to correctly sign a key, you need to verify the finger print of the key, either by having the other person read off their finger print or comparing it to a printed version of their fingerprint. You can find their fingerprint from the gpg command line with:

gpg> fpr

Once you've verified their fingerprint you want to sign it.

gpg> sign

and save it.

gpg> sign

Now all that's left to do is publish the fingerprint. The best practice way of publishing a signature is to allow the other person to publish your signature by sending them an email with the signature attached. This is a little cumbersome, and in most cases it's probably okay for you to go ahead and publish it by issuing the following command from the regular command line.

0 ross@virilio:~$ gpg --send-keys 5F2E4935
gpg: sending key 76CC057D to hkp server keys.mayfirst.org
0 ross@virilio:~$

Make sure to use their key ID and not their name or email address. If you need to find the correct key ID, you can do that with:

gpg --list-keys EMAIL_ADDRESS_OF_THE_PERSON

And that's pretty much all there is to it. Next, you might want to start using your gpg key for email.