Instructions for ASF Keysigning

Introduction

These are probably more generally useful, but for now have been tuned to just the case of ASF members/committers signing each others keys.

Importing PGP 5 public keys to GPG

pgpk -xa key-id-to-import | gpg --import

Do this to all keys you want to sign and your own keys, too (or you won't be able to import the private key).

Importing your PGP 5 private keys to GPG

N.B. GnuPG will not import keys that are not self-signed!

gpg --import --allow-secret-key-import < your-secret-keyring

Using Temporary Keys

Given that at this stage, this is experimental, it might be better to generate fresh temporary keys for the duration:

gpg --gen-key

The key may as well be signing only.

Exporting Your Keys

If someone is going to sign your keys, they'll need a copy. You can get one like this:

gpg --export --armour key-id > some-file

Then send them the file. They import it like this:

gpg --import < some-file

If they need to verify it, they should make sure they have a way of communicating with you that can be trusted (e.g. face-to-face or via a verified phone number) and check the fingerprint:

gpg --fingerprint

Alternatively, if you have an existing key that has been verified, then sign the exported file before sending it. For strict correctness you should include a statement in the file that it is your key before signing (because what does the signature mean, otherwise?). To sign with GPG:

gpg --clearsign file-to-sign

or PGP:

pgps -at file-to-sign

Either will produce a signed copy of file in file.asc.

Initialising KeyMan

First, you need to do a one-off initialisation of KeyMan. Here's what mine looked like:

km-configure
In order to configure KeyMan, you will need to answer a few questions
which will help the program make some starting objects to use.
What options would you like to pass to GnuPG by default [] 
[1] 0x5605465F3D42C8CA Ben Laurie (*TEST* ASF Signing Key) <ben@algroup.co.uk>
[2] 0x1B080C452719AF35 Ben Laurie <ben@algroup.co.uk>
[3] 0x9428DD79E279C0A5 ALDIGITAL
[4] 0x4F6DE1562118CF83 Ben Laurie <ben@algroup.co.uk>
[5] 0x883FFA4F244E262B A.L. Digital M.I.B. <mib@aldigital.co.uk>
Which of these should be your root key? [1-5,Q] 1

The choice of root key is rather important - all trust in your KeyMan setup derives from signatures made by your root key. So, it should be the one you intend to use for KeyMan signing, in short.

Signing Someone's Key in KeyMan

First of all, import their key into GPG, as above, then, import it into KeyMan:

tools/km-import-pgpkey
[1] 0xA9063F1F6B722A59 Ben Laurie  <ben@gonzo.ben.algroup.co.uk>
[2] 0x5605465F3D42C8CA Ben Laurie (*TEST* ASF Signing Key) <ben@algroup.co.uk>
[3] 0x9ACD3CC0A99F75DD Rodent of Unusual Size <Ken@Coar.Org>
[4] 0x4F6DE1562118CF83 Ben Laurie <ben@algroup.co.uk>
Which key would you like to import [1-4,Q] 3
What URLs can this key be downloaded from (inc keyserver://hostname.of.keyserver/) (q to exit) [q] keyserver://wwwkeys.uk.pgp.net/
What URLs can this key be downloaded from (inc keyserver://hostname.of.keyserver/) (q to exit) [q] 
a011f5c7b76a7c5c399a20a055ed65c323a8057f
Add another key [n]

Now sign it - here's how I would sign a fellow board member's key:

km-trustsign
[1] Ben Laurie <ben@algroup.co.uk>
[2] Rodent of Unusual Size <Ken@Coar.Org>
Choose an object to sign [1-2,Q] 2
Choose a trust level [1] 
Choose a trust depth [1] inf
Choose a trust domain [.] x-asf
Do you really want to sign the object a011f5c7b76a7c5c399a20a055ed65c323a8057f
   (Rodent of Unusual Size <Ken@Coar.Org>) with the trust of
      [1, inf] in domain x-asf
 [n] y
About to make a trust signature ([1, inf] x-asf) on a011f5c7b76a7c5c399a20a055ed65c323a8057f by 9c8e652e25c0a8e4452cb9b3c91ff53a6469e067
gpg: Warning: using insecure memory!

You need a passphrase to unlock the secret key for
user: "Ben Laurie (*TEST* ASF Signing Key) <ben@algroup.co.uk>"
1024-bit DSA key, ID 3D42C8CA, created 2002-01-24

Signature and trust object made and added
Sign another object [n]

Exporting the Signatures

This is pretty simple - for now its probably easiest to just export everything, like this:

km-export --file=name-of-export-file
[1] Ben Laurie <ben@algroup.co.uk>
[2] Rodent of Unusual Size <Ken@Coar.Org>
Choose objects to export [1-2,A,N,Q]
  selected=>[] a
Choose objects to export [1-2,A,N,Q]
  selected=>[1,2] q

In the export file you'll find a pile of XML - send it to someone else, and they can import it into their KeyMan. Of course, they won't have the same trust as you do, unless they've signed your root key appropriately.

Please send all exports to me, ben@algroup.co.uk so I can try to build a master file.

Importing Objects

Trivial:

km-import name-of-import-file
[1] Ben Laurie <ben@algroup.co.uk>
[2] Rodent of Unusual Size <Ken@Coar.Org>
Choose objects to import [1-2,A,N,Q]
  selected=>[] a
Choose objects to import [1-2,A,N,Q]
  selected=>[1,2] q

What Have I Got?

km-display-trust
[1] Ben Laurie <ben@algroup.co.uk>
[2] Rodent of Unusual Size <Ken@Coar.Org>
Choose objects to view [1-2,Q] 2
In which domain do you wish to evaluate this? [.] anything.x-asf
Information about a011f5c7b76a7c5c399a20a055ed65c323a8057f
  (Rodent of Unusual Size <Ken@Coar.Org>)
  Metric in `anything.x-asf': 
            [1, inf] 
  Best metric for this is therefore 1
  There were 1 paths with 1 or higher
  There were 0 invalid paths