So you've attended a keysigning party and diligently checked people's key fingerprints & IDs. Now what should you do? Here is an overview of the process you should follow: 1. Sign: Look at the checklist you made at the Keysigning Party. For each user where you checked off that you verified their key information & ID, you need to import their key, verify the imported key's fingerprint matches the printout/notes that you verified at the party, sign their key(s), and send them back to them, preferrably signed+encrypted to their key. 2. Import: As you receive your signed key(s) from other people, import them to your keyring and then upload them to a keyserver. 3. Refresh: Periodically refresh your keyring from a keyserver so you get local copies of other people's keys with any additional signatures that were added since you last refreshed. Detailed instructions for each step: 1. Sign: Configure GPG to always ask for the certification level. Before signing keys, it is a good idea to set your GnuPG configuration to always ask you what certification level to assign to each key you sign. This indicates to others how carefully you verified the person's identity before you signed their key. If you don't do this, GnuPG will default to 0 which means you make no particular claim as to how careful you were. Edit $HOME/.gnupg/gpg.conf and add the following to the end: ask-cert-level You can also optionally change the default (in case you don't want to be asked every time): default-cert-level 2 1a. Sign: The CAFF Method. The easiest way to do this is to use CAFF (CA Fire & Forget) from the pgp-tools package on Fedora, or the signing-party package on Debian/Ubuntu. After installing the pgp-tools or signing-party package, you need to configure CAFF. In order to create your initial .caffrc, just run "caff" once. caff Then edit the .caffrc file in your home directory. The minimum settings you should set are: $CONFIG{'owner'} = 'YOUR FULL NAME'; $CONFIG{'email'} = 'YOUREMAIL@FOO'; $CONFIG{'bcc'} = 'YOUREMAIL@FOO'; $CONFIG{'keyid'} = [ qw{YOUR-KEY-ID YOUR-OTHER-KEY-ID-IF-YOU-HAVE-ANY} ]; $CONFIG{'local-user'} = [ qw{YOUR-KEY-ID YOUR-OTHER-KEY-ID-IF-YOU-HAVE-ANY} ]; $CONFIG{'also-encrypt-to'} = [ qw{YOUR-KEY-ID YOUR-OTHER-KEY-ID-IF-YOU-HAVE-ANY} ]; $CONFIG{'default-cert-level'} = '2'; # as above, but for CAFF specifically Note that the KEY-IDs CAFF wants are 8-byte ones rather than the usual 4-byte. Just use the last 16 digits of the fingerprint. You can also customize the email message body that CAFF will send out with each signed key. Then you just run CAFF like this: caff 0xKEY-ID1 0xKEY-ID2 0xKEY-ID3 ... ... etc to sign all those KEY-IDs. You can run it once for each person/key, or list every person's KEY-ID on a single run. CAFF will prompt you to sign people's keys one by one (which you should only do after you verify the fingerprint against your paper copy from the Keysigning Party), then it will email the signatures for each uid (email address) separately to that email address, signed+encrypted to that user. That proves that the user who can receive email at that email address, and who can decrypt the message, is the only user who can get the signature for that user/uid/email, and that is the only way they can get the signature for that uid/email (as long as you don't send your signed copy of their key to a keyserver or anywhere else--leave that to the recipient). 1b. Sign: The Manual Method. It is tricky to do the above manually without CAFF, but if you don't want to run CAFF or can't for some reason, you can sign the key and then export the signed key with gpg --export. Ideally, you should then encrypt that and send it to at least one of the email addresses listed in the uid(s) if not all of them. This is not as good as the CAFF method, because it only proves that at least ONE of the uids/email addresses is controlled by the user who has that key, and the person who controls that ONE email address can get your signature on ALL of the uids/email addresses. These commands should work for the manual method. First verify that the fingerprint matches your printout or notes from the Keysigning Party: gpg --fingerprint 0xRECIPIENT-KEY-ID Now sign the key: gpg --sign-key 0xRECIPIENT-KEY-ID Now export their key, signed+encrypted to both them and you. Store the result, ascii armoured, into a file: gpg --export 0xRECIPIENT-KEY-ID | gpg --encrypt --sign --armour --recipient 0xRECIPIENT-KEY-ID --recipient 0xYOUR-KEY-ID - > 0xRECIPIENT-KEY-ID-signed-key.asc You can verify that this came out right before emailing (since you signed/encrypted it ALSO to your own KEY-ID above) with the following: cat 0xRECIPIENT-KEY-ID-signed-key.asc | gpg -d | gpg --list-packets And you can import it to a test keyring to see the signatures like this: cat 0xRECIPIENT-KEY-ID-signed-key.asc | gpg --decrypt | gpg --import --keyring=testring.gpg --no-default-keyring gpg --list-sigs --fingerprint --keyring=testring.gpg --no-default-keyring Now that you've verified it is all correct, just attach the .asc file to an email and send it to the user's email address(es). 2. Import signed keys other people send you and then upload them. When you receive emails from other people with your signed key(s) (hopefully signed+encrypted in the email) you should import them as follows. If the sender used the CAFF Method, the entire email will be signed+encrypted and you can import the key like this: cat encrypted-email.asc | gpg --decrypt | gpg --import If the sender used the Manual Method, you will have a signed+encrypted attachment that you can import like so: cat 0xYOUR-KEY-ID-signed-key.asc | gpg --decrypt | gpg --import Now you should send your key back to a keyserver with the new signature(s) you just added: gpg --keyserver=subkeys.pgp.net --send-key 0xYOUR-KEY-ID 3. Refresh: Periodically refresh your keyring from a keyserver. In order to reap the benefits of the Web of Trust, you need to download other people's public keys so you can take advantage of the signatures on those keys to verify other people further out in the Web. As people upload their keys with additional signatures on them, your local copies become out of date so you need to refresh them to gain the additional signatures, any revocations, etc. To refresh a single key, just download that key from a keyserver: gpg --keyserver=subkeys.pgp.net --recv-key 0xKEY-ID To refresh your entire keyring (do this sparingly as it does place quite a load on the keyserver): gpg --keyserver=subkeys.pgp.net --refresh-keys That's it!