An essential part of PGP is the mutual validation of key pairs. This confirms that the information about the owner stored in the key corresponds to reality (e.g. ownership of this key). This post describes the process of signing PGP keys with GnuPG.

With GnuPG it is very easy to sign foreign public keys. GnuPG offers a selection of options to configure the creation of the signature. I will introduce the most important ones here.

Copy&Paste

Here the Copy&Paste command (because people usually just take the first code they see):

gpg --ask-cert-level --ask-cert-expire --sign-key <fingerprint of key to be signed>

Please read below to understand what you are doing!

Simple Signing

The fastest way to generate a signature for a key is the following command (please do not use that!):

gpg --sign-key <fingerprint of key to be signed>

This command creates a signature that says nothing about whether and how you verified the identity of the owner of the key. In practical terms, the signature is therefore worthless. In addition, the expiration date of the signature is set to the same date as the key. This is not wrong for now, but there may be cases where you want to explicitly define a different date.

Define your key pairs to be used

First of all, if you have several keys, it is important to define exactly which key you want to use for the signature. You can do this in GnuPG with the parameter -u <key>. To avoid mistakes, you should use the fingerprint of the matching key pair.

gpg -u <your key fingerprint> --sign-key <fingerprint of key to be signed>

Define certification level

The certification level indicates how it was verified that the key actually belongs to the registered owner (name and e-mail address). The following levels are available:

   (0) I will not answer. (default)
   (1) I have not checked at all.
   (2) I have done casual checking.
   (3) I have done very careful checking.

Level 3 describes a thorough check with personal meeting and ID, Level 2 e.g. a check by telephone (if you know the voice). To specify the level of the check, you need to add the –ask-cert-level parameter:

gpg -u <your key fingerprint> --ask-cert-level --sign-key <fingerprint of key to be signed>

Define certification expiry time

A PGP key pair can (should) have an expiration date. This ensures that old keys that are no longer in use become unusable. Furthermore, it is possible to change the expiration time of the key pair if necessary, i.e. to extend it (please read OpenGPG Best Practices for reasons why you should do that). If you sign a key, the expiration date of the signature is set to the current expiration date of the key. If you now change the expiration date of the key, the date of the signature is not adjusted (a new signature would have to be created for this). In order to save the need for a new signature (and the corresponding effort for validation), the signature can be given a different expiration time than the key when it is created. GnuPG provides the parameter –ask-cert-expire for this:

gpg -u <your key fingerprint> --ask-cert-level --ask-cert-expire --sign-key <fingerprint of key to be signed>

However, even with signatures, you should consider carefully whether the expiration date is “never” really justified.

Get started!

Now you can start signing! Meet your friends, acquaintances and colleagues and sign each other your keys.

By the way, you can find my Publiy Key here.