On Thu, 17 May 2007, Eric Martin wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Thanks to everyone who showed up to tonight's key signing party. Now that we verified everybody had the correct key info and identification, we actually have to sign each other's keys. We are using the keyserver pgp.mit.edu. If that isn't your default, you can set it either in ~/.gnupg/gpg.conf or at the command line for each command by using the argument - --keyserver pgp.mit.edu

Is the "hkp://" prefix needed in gpg.conf? keyserver hkp://pgp.mit.edu

Below is an excerpt from the gpg Key Signing Party HowTo that explains things in detail.(http://www.rubin.ch/pgp/kspa/gpg-party.en.html#ss3.8):

3.8 How to sign others' keys

Step 1: Get a copy of the key

Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg --import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring.

bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>

If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

That worked Ok.

Step 2: Fingerprint and Verify the key

bash$ gpg --fingerprint <Key_ID>

That too.

GPG will print out the fingerprint of the Key with <Key_ID > (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

Step 3: Sign the key

bash$ gpg --sign-key <Key_ID>

Ok.

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>

Step 4: Return or Upload the signed key

If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.

Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:

bash$ gpg --keyserver <keyserver> --send-key <Key_ID>

You should see a success message like this:

gpg: success sending to `<keyserver>' (status=200) Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.

This looked different for me, $ gpg --send-key A9413B9F gpg: sending key A9413B9F to hkp server pgp.mit.edu $ No affirmative response, it just returned to the prompt. But the exit code was 0. $ echo $? 0 -Jamie [ not yet using gpg for mail ]