PGP Key Signing

With PGP you can not only sign emails, but basically arbitrary digital data, including other PGP keys. That means that I can sign your PGP key with mine. This has a special meaning. It means that I'm convinced that you are the legitimate owner of that key. These signatures make it possible to build the web of trust.

Identity Check

These things have to happen before I sign your key:

• Show me an official document with your photo and your name on it (driver's license, passport etc.). The photo has to match your face and the name has to match the key you want to have signed.
• Tell me the fingerprint of your key and the mail addresses you want to have signed.

Signing

To sign a key you need to have the key imported in your local key chain. You can get the key from a key server (e.g. pgp.mit.edu), or download it from a URL the key owner told you or get the key file directly from the owner. Import it using the GUI or the terminal.

• gpg --recv-keys ABCDEFGH import a key from a key server using the fingerprint
• gpg --import ABCDEFGH.asc import a key from a key file

Paper Snippets

If you're going to a place where you expect tech savvy people you can bring paper snippets with your key information on it and give them to others so they can sign your at home. Of course you're not going to print out your whole key, but rather include just the fingerprint, your name and the mail addresses you want to have signed. There's an excellent tool, that creates just that for you: http://keysheet.net/