On Thu, 17 May 2007, Eric Martin wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thanks to everyone who showed up to tonight's key signing party. Now that we verified everybody had the correct key info and identification, we actually have to sign each other's keys. We are using the keyserver pgp.mit.edu. If that isn't your default, you can set it either in ~/.gnupg/gpg.conf or at the command line for each command by using the argument - --keyserver pgp.mit.edu
Is the "hkp://" prefix needed in gpg.conf? keyserver hkp://pgp.mit.edu
Below is an excerpt from the gpg Key Signing Party HowTo that explains things in detail.(http://www.rubin.ch/pgp/kspa/gpg-party.en.html#ss3.8):
3.8 How to sign others' keys
Step 1: Get a copy of the key
Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg --import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring.
bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>
If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.
That worked Ok.
Step 2: Fingerprint and Verify the key
bash$ gpg --fingerprint <Key_ID>
That too.
GPG will print out the fingerprint of the Key with <Key_ID > (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.
Step 3: Sign the key
bash$ gpg --sign-key <Key_ID>
Ok.
If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:
bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>
Step 4: Return or Upload the signed key
If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.
Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:
bash$ gpg --keyserver <keyserver> --send-key <Key_ID>
You should see a success message like this:
gpg: success sending to `<keyserver>' (status=200) Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.
This looked different for me, $ gpg --send-key A9413B9F gpg: sending key A9413B9F to hkp server pgp.mit.edu $ No affirmative response, it just returned to the prompt. But the exit code was 0. $ echo $? 0 -Jamie [ not yet using gpg for mail ]