How I Sign Keys

How I Sign Keys

Signing is a very personal thing. You are telling the world you believe a key belongs to the person who is claiming it. The value of a web of trust comes from the fact you are willing to put your reputation behind this assertion.

Everyone will treat signing differently. Some may feel bumping into someone at a conference is sufficient, other may want a full DNA breakdown with supporting evidence from three expert witnesses. I like to think I’m somewhere in the middle and have documented my signing policy. This page is about how I sign a key and what you need to do next.


In order to sign a key you need the master key, and as detailed in my key creation guide I keep my master key separate from my normal key store, so can not do any signing during events. Instead I sign all keys at home then get the signed public key back to you for you.

The Act

Like all repetitive tasks I have created a script for that which you can download from its project page. The script does five things:

  1. First download the key to be signed into my keystore
  2. Sign all key identity’s associated with that key
  3. Export the signed public key
  4. Encrypt it
  5. Finally the script deletes the signed public key from the keystore and re-download the unsigned version from the public key


Now I have an encrypted file containing your key I have just signed, but I do not have a signed copy in my key store. My preferred way of getting a signed key to you is by email. Since I have encrypted the signed file you have to have access to the private key and email address in order to use it and I feel this adds a level of additional verification that you really do have control of the key I just signed, after all there are many reasons you might not – I mean I could have just signed the wrong key.

You have noticed my bash script now leaves without a signed copy for you key, this was a deliberate step. I said above by emailing you I am able to assure myself I have not only signed the right key but you have access to the correct email box. Once you import the key and push it back out to your key server I will retrieve a copy from there.

What do you do now

If you receive a signed key from me you simple need to run the following command:

nxad@desktop:~$ gpg --decrypt name_of_file_attached_to_email.asc.pgp | gpg --import

PGP will ask for your password and import the new signed key and verify the attachment was signed with my primary key fingerprint: BB2C EB25 BE05 16A7 A9C6 F2FB EEB4 96E6 1FA1 E814. It is now up to your to send your newly signed key back to a server for the rest of the world to see.