[SGVLUG] Keysigning party buzz I -- pgp (gpg)

Emerson, Tom Tom.Emerson at wbconsultant.com
Mon Apr 3 18:17:19 PDT 2006 

[Note: I'll be posting this to the website as well]
Well, our next general meeting is a couple of weeks
away, and as promised I'm generating some "buzz"
about what to do to participate.  This message covers
creating a PGP key using gpg.  Part II will cover
creating a "Ca-Cert" certificate

==================================================
= Before I jump into this -- I'd like a "show of
= hands" if you think you will particpate -- if
= enough people respond, I'll be asking you to send
= your "fingerprint" (either to me or to the list) in
= advance and I'll print a "master list" of finger-
= prints to make things easier for everyone (in either
= case, however, you should bring a copy of the finger-
= print printed on the machine containing your private
= key)
==================================================

I don't want to steal too much of Phil's fire for his presentation, so I
won't go into too many details, but if you want to participate in the
"key signing" party at this month's SGVLUG presentation, you will need
to create a key before you arrive (well, I suppose you could create one
during the meeting, but passing around the "fingerprint" might be a bit
cumbersome -- we don't have any printers...)

That said, the first thing to do is to make sure gpg is installed --
most likely it already is installed as "it's a good thing" and many
distro's include it by default.  (some in fact might require it for
their patch management system...)  If not, it should be on your
installation media and should be relatively simple to install.  For
those that don't trust the distro maintainer (or your distro doesn't
include it), you can download either a pre-compiled version (recommended
for the novice) or the source files and compile it yourself -- not too
many dependancies, but enough that I would only recommend this as a last
resort for the first-timer...

Then, you need to generate a key.  This is an interactive process, so
perhaps the best way to describe it is by an example:

tom at osnut:~> gpg --gen-key
gpg (GnuPG) 1.2.2; Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 30
Key expires at Wed 03 May 2006 02:26:38 PM PDT
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the
user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh at duesseldorf.de>"

Real name: Fred Flintstone
Email address: fred at bedrockslate.com
Comment: yabba-dabba
You selected this USER-ID:
    "Fred Flintstone (yabba-dabba) <fred at bedrockslate.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++.++++++++++.+++++.+++++++++++++++++++++++++++++++++++.++++++++++.
+++++++++++++++.++++++++++++++++++++.+++++.+++++.++++++++++++++++++++>++
+++..+++++..>+++++...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++....++++++++++.++++++++++++++++++++++++++++++++++++++++++
+++++++++++++.....+++++++++++++++.+++++++++++++++++++++++++.++++++++++++
+++.++++++++++>++++++++++...>+++++........>.+++++.......................
.............+++++^^^^^
public and secret key created and signed.
key marked as ultimately trusted.

pub  1024D/AEB9CD5C 2006-04-03 Fred Flintstone (yabba-dabba)
<fred at bedrockslate.com>
     Key fingerprint = CAE2 BDC9 4226 46A8 7FC0  E6A4 DB9D BD85 AEB9
CD5C
sub  2048g/8884BE1B 2006-04-03 [expires: 2006-05-03]

tom at osnut:~>

OK, you're done -- you should now have a directory called $HOME/.gnupg
with a few files, most notably "pubring.gpg" and "secring.gpg".  pubring
contains your public key, secring is, of course, your secret key.  I
suspect Phil will go over the details of posting your public key to a
server (and other ways of disseminating the information contained
within), so I won't talk about it now (it isn't strictly neccessary to
post it right away anyway)

What you DO need to do, however, is generate and print your
"fingerprint" -- this is displayed as the last few lines of the
"--gen-key" output, but can easily be re-created by this command:

tom at osnut:~> gpg --fingerprint fred
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
pub  1024D/AEB9CD5C 2006-04-03 Fred Flintstone (yabba-dabba)
<fred at bedrockslate.com>
     Key fingerprint = CAE2 BDC9 4226 46A8 7FC0  E6A4 DB9D BD85 AEB9
CD5C
sub  2048g/8884BE1B 2006-04-03 [expires: 2006-05-03]

Drop the last three lines into your favorite editor and print a few
copies to hand out to others -- this is the ONLY thing you need to bring
to the party as far as your "key" is concerned (you do, however, need to
bring something that supports the claim that you are who you claim to be
and that others will "trust", but that's another thread... )

At the meeting, Phil will talk about the next few steps you need to take
to post your public key and to sign the keys of the others you validated
at the meeting.

More information about the SGVLUG mailing list