All About Keys and Key Signing
The Apache reference on PGP key signing parties that take place at ApacheCon
- It points to this, which provides a really good overview, including how to create a key
- Page under development on signing Apache releases
- GnuPG, the GNU Privacy Guard page
- The GNU Privacy Handbook, a forty-one page pdf document about GnuPG
- Everything you really need to know about keys, key signing, and signing releases at Apache
How to Sign
Thanks to Jean Anderson for this description of the signing process:
The ApacheCon key signing only verifies the fingerprint and id of the person -- everybody gets a hardcopy printout with name, email, and fingerprint. Incidentally, the "key id" is the last 8 digits of the fingerprint.
The electronic signing occurs later. Here are the steps somebody might use to sign my key.
- Import Jean's public key from pgp.mit.edu:
gpg --keyserver pgp.mit.edu --recv-keys 9958C626
Verify the fingerprint -- does it exactly match the hardcopy from the ApacheCon key signing?
gpg --fingerprint firstname.lastname@example.org
- Sign Jean's key:
gpg --sign-key 9958C626
- Upload the signed key:
gpg send-keys --keyserver pgp.mit.edu 9958C626
Another "style" is to not upload the signed key, but to export it and email it to the signee to upload (KEYID below is the id of the signer):
gpg --armor --export jta.apache.org > 9958C626_signed_by_KEYID
There's also a gpg-sign-keys.sh script available from dragon roe ( https://dragon.roe.ch/bitsnpieces/scripts/gpg/gpg-sign-keys.sh-1.30 ), but it's best to understand what needs to be done before using somebody else's black box.