Saturday, August 5, 2017

Keysigning!

There are a couple of reasons to create a network of trust, using gpg keys. If you are a software developer and want to sign your commits, and on a larger stage, sign software releases, you need a key pair. On a distribution level, ISOs are signed as well. In Ubuntu, a GPG key is required to sign the Code of Conduct.

On a personal level, emails and other communications and files can be signed and/or encrypted. In this era of wide-spread spoofed emails and more and more efforts to snoop into our every move, gpg is a tool we can use to prove our identity and be able to rely on gpg-signed emails.

I attended a keysigning at Akademy, which involved a few steps. First, generating a key pair. This is amazingly easy: gpg --gen-key . Various options are discussed here, among other places: http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#keypair_generation. This site and many others describes how to immediately create a revocation certificate, just in case. This is not difficult either. Finally, send your key pair to a keyserver, and your fingerprint to the person running the keysigning event, or print out the fingerprint yourself.

At the keysigning, you will check to see that your own fingerprint is correct as provided by the host, and that each person at the event has valid identification proving they are who they say they are.

The final step to creating your web of trust is signing those keys. Some people have an additional step before signing and uploading; that of sending an encrypted email to each person to establish that both keys work. Since I created my key pair using my gmail address, I was having some difficulty with decrypting some of those emails using "mailvelope", a gmail addon. Bhushan Shah told me that I can download the raw encrypted email and then decrypt that file by gpg --decrypt filename.txt . Excellent!

gpg --encrypt filename.txt recipientkeyID works as well.

Now I've found and am trying out GooPG which is interesting, and seems to work. Nothing seems to be able to read the email I got from Launchpad to verify my uploaded key, however. :(  The actual code block throws a CRC error.

To sum up: be a geek, do some key signing, and sign your emails! And when needed, encrypt them.

PS: Martin Bednar asked where to find the Google extension. None of my browsers let me answer comments (or even make comments) directly, so here is the link: https://chrome.google.com/webstore/detail/goopg/ifpoaednafmgolabhpjmbimllaoidelg