Wednesday, September 9, 2015

How to distribute GPG keys with others and validate GPG keys of others ?

After creating your own GPG key-pair, the very next step is to sign the key. Now, the question comes automatically, what is signing of keys and why we should do that. Let's understand that first.

What is signing of GPG keys and why should we sign GPG keys of others ?

A user's public key is available to all. Secure channel is not required for key distribution. One can easily fake someone's public key. When you get someone's public key, you must be certain that it is indeed that person's public key and not to someone else. You can confirm that by looking at who all have signed the key. If you see any trusted person to sign the user-id, you will know the public key is valid.

Use the following command to look at who all have signed a partcular public key:

# gpg –list-sigs <user-id>

Why should we sign our own GPG key ?

We should also sign our own GPG key. If for any reason, any of the signed user-ids is tampered with, it will show the message “Bad Signature” while listing the key.

How to distribute GPG keys with others ?

You can upload your GPG keys to a keyserver, using the –send-keys option.

# gpg –keyserver <keyserver> –send-keys <user-id>

You can also download someone else's key from the keyserver using the –recv-key option.

# gpg –keyserver <keyserver> --recv-key <key-id>

You can also import a key to your keyring using the following command.

# gpg –import pubkey.asc

How to validate GPG keys of others ?

Once you import someone's key to your keyring, you can validate the key. If you are very sure the public key belongs to the particular person only, you can sign it. If any person well-known to you looks at your signature on that key, the person will know that, the key that you have signed, will be valid.

The word trust is subjective. In PGP, you can indicate using four keywords, how much you trust on a public key.

- unknown
It indicates nothing is known about the validity of the public key.

- none
It indicates improperly signing the public key.

- marginal
It indicates the public key has been validated proiperly.

- full
It indicates an excellent amount of trust on the public key.

You can indicate the validity of an imported key, by going to the key edit menu and using the command trust.

# gpg –edit-key <user-id>
command> trust

Indicate how much you trust the public key and exit.

Please make doubly sure before you trust someone else's public key!

No comments:

Post a Comment