PGP Key Signing Party Procedures

• Before the party:
  1. If you haven't already done so, install PGP or GPG:
     • PGP Desktop is available for Windows and Mac OS platforms from PGP Corporation:
       • Free 30-day trial: http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html OR
       • Desktop Email: http://na.store.pgp.com/desktop_email.html OR
       • Bundled with Full Disk Encryption: http://na.store.pgp.com/desktop_pro.html
       It is also available from other online retailers. NOTE: PGP software purchased through Penn's Office of Software Licensing does NOT include PGP Desktop Email.
     • GPG ("GNU Privacy Guard") is freely available from GnuPG.org: (http://www.gnupg.org/):
       • Windows (http://www.gpg4win.org/)
       • Mac OS (http://macgpg.sourceforge.net/)
       • UNIX (http://www.gnupg.org/download/index.en.html)
  2. Follow the instructions to create your public/private keypair using the default key length.
  3. Determine the fingerprint for your public key:
     • GPG:
       • gpg --fingerprint your_email_address
         where your_email_address is your actual address.
       • Copy and paste the output into an email message.
     • PGP:
       • Windows:
         • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
         • If not already open, expand the PGP Keys section of the left-hand navigation pane.
         • In the list of keys on the right, find your key.
         • Right-click your key and select Key Properties
         • Expand the Fingerprint section if necessary, and click the Copy button on the right-hand side of the pane.
         • Paste your fingerprint into an email message.
       • Mac:
         • Launch PGP.
         • Select Keys in the left-hand navigation pane.
         • In the list of keys on the right, find your key.
         • Ctrl-click your key, and select Show Key Info.
         • Expand the Fingerprint section if necessary, and select the Hexadecimal pane.
         • Click the copy button (the image of two overlapping squares) on the right-hand side of the Fingerprint section.
         • Paste your fingerprint into an email message.
  4. Either publish your public key to the PGP Global Directory or prepare to send it to us via email:
     • To publish your public key:
       • GPG: gpg --send-keys --keyserver ldap://keyserver.pgp.com keyID
         where keyID is the last 8 characters of your fingerprint, without spaces, e.g. EDCA35C9. You can also publish it to http://keys.nayr.net/ by copying and pasting your exported public key into the web page (see exporting instructions).
         
       • PGP: Mac or Windows
     • To send your public key in email:
       • GPG:
         • gpg -a --export your_email_address > yourkey.asc
           where your_email_address is your actual address.
         • Attach yourkey.asc to an email message.
       • PGP:
         • Windows:
           • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
           • If not already open, expand the PGP Keys section of the left-hand navigation pane.
           • In the list of keys on the right, find your key.
           • Right-click your key and select Export...
           • Save your key, and attach the file to an email message.
         • Mac:
           • Launch PGP.
           • Select Keys in the left-hand navigation pane.
           • In the list of keys on the right, find your key.
           • Ctrl-click your key, and select Export to Clipboard.
           • Paste the key into an email message.
• At least two working days before the key signing party: RSVP to security@isc.upenn.edu and include your PGP fingerprint. If you've published your public key, let us know. Otherwise, include your public key in your email message. Information Security will collate the keys and print enough copies of the list of names/fingerprints so that each person can get a handout.
• The day of the party: Bring your PennCard to identify yourself, and bring along a printed (or otherwise readable) copy of your fingerprint.
• At the party:
  1. Show your PennCard to others to confirm your identity.
  2. Using the copy that you brought with you, read off your key fingerprint.
  3. Each attendee will verify the fingerprint read aloud against the one in the handout.
  4. Take the list of names and verified fingerprints with you after the party.
• After the party:
  1. For each key you verified, import it from the keyserver onto your keyring:
     • GPG: gpg --keyserver ldap://keyserver.pgp.com --recv-keys keyID
       OR
       gpg --keyserver keys.nayr.net --recv-keys keyID
       where keyID is the key ID you verified (the last 8 characters of the fingerprint, without spaces, e.g. EDCA35C9).
     • PGP:
       • Windows:
         • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
         • If not already open, expand the PGP Keys section of the left-hand navigation pane and select Search for Keys.
         • Search for the key using either key ID or email address.
         • Right-click the key and select Add To -> All Keys
       • Mac:
         • Launch PGP.
         • Expand Keyservers in the left-hand navigation pane and select PGP Global Directory.
         • Search for the key using either key ID or email address.
         • Ctrl-click the key, and select Add To Default Keyring.
  2. Verify each key against the fingerprints from the list you got at the party (see instructions above for viewing the fingerprint for a key).
  3. Sign each key:
     • GPG: gpg --sign-key keyID
       where keyID is the ID for the key you verified, e.g. EDCA35C9.
     • PGP:
       • Windows:
         • Click the PGP padlock icon in the System Tray, and select Open PGP Desktop.
         • If not already open, expand the PGP Keys section of the left-hand navigation pane and click All Keys.
         • In the list of keys on the right, select the key.
         • Right-click your key and select Sign...
         • In the PGP Sign Key dialog box, select the key, check Allow signature to be exported and click OK.
         • Enter your passphrase when prompted.
       • Mac:
         • Launch PGP.
         • Select Keys in the left-hand navigation pane.
         • In the list of keys on the right, find the key.
         • Ctrl-click the key and select Sign....
         • In the Sign Key dialog box, check Allow signature to be exported, select the key, and click Sign.
         • Enter your passphrase when prompted.
  4. Publish each signed key:
     • GPG: gpg --keyserver keys.nayr.net --send-keys keyID
       where keyID is the key ID you verified. Note that the keyserver for publishing signed keys is different from the aforementioned keyserver. The PGP Corporation keyserver does not aggregate PGP signatures for keys. Alternatively, you can publish it to http://keys.nayr.net/ by copying and pasting the exported public key into the web page (see exporting instructions).
       
     • PGP: Using the instructions above for obtaining the public key, send signed keys to security@isc.upenn.edu (PGP software does not communicate properly with keys.nayr.net).
     and then notify security@isc.upenn.edu
  5. Once the keys have been signed, Information Security will notify the attendees and publish signed keys to keys.nayr.net.
  6. Import the signed keys from the keyserver:
     • GPG: gpg --keyserver keys.nayr.net --recv-keys keyID
       for each keyID you verified.
     • PGP: ask Information Security to send the signed keys via email; import by double-clicking each key attachment.

Remember to send your public keys and fingerprints to security two working days before the key signing party.

Information Security PGP keys area available at:
http://www.upenn.edu/computing/security/pgpkey.php

Last updated: Monday, April 13, 2009