Thanks to Jean Anderson for this description of the signing process:
The ApacheCon key signing only verifies the fingerprint and id of the person – everybody gets a hardcopy printout with name, email, and fingerprint. Incidentally, the "key id" is the last 8 digits of the fingerprint.
The electronic signing occurs later. Here are the steps somebody might use to sign my key.
gpg --keyserver pgp.mit.edu --recv-keys 9958C626
gpg --fingerprint jta@apache.org
gpg --sign-key 9958C626
gpg send-keys --keyserver pgp.mit.edu 9958C626
Another "style" is to not upload the signed key, but to export it and email it to the signee to upload (KEYID below is the id of the signer):
gpg --armor --export jta.apache.org > 9958C626_signed_by_KEYID
There's also a gpg-sign-keys.sh script available from dragon roe ( https://dragon.roe.ch/bitsnpieces/scripts/gpg/gpg-sign-keys.sh-1.30 ), but it's best to understand what needs to be done before using somebody else's black box.