Keysigning @ DebConf15


As part of the 16th Debian Conference in Heidelberg, Germany there will be OpenPGP (pgp/gpg) keysignings.


Either Daniel Kahn Gillmor (dkg) or Anibal Monsalve Salazar (anibal) will announce the time and venue of a discussion/information session about the keysigning during DebConf15 in particular and modern cryptography in general. It will be followed by a number of keysignings of small groups of people.

What is keysigning and why do it

A keysigning party or meeting is a get-together of at least two individuals who use the PGP encryption system with the purpose of allowing them to sign each others keys. Keysigning parties serve to extend the web of trust (WoT) to a great degree. A useful metric of the WoT is the mean shortest distance (MSD) of a key.

Please read chapters one and two of the GnuPG Keysigning Party HOWTO (note: we are doing the party differently, so the other chapters do not apply completely).

Don't you have a strong key yet?

The Debian Project has moved to GPG keys with stronger ones using SHA256 or better. Please read:

The process to create a new key is documented at

If you plan to migrate your WoT, you should read "HOWTO prep for migration off of SHA-1 in OpenPGP" at by dkg.

Check your key and fix any problem with your key

Please read the document "OpenPGP Best Practices" by dkg which is available at Its OpenPGP key checks have been implemented by Clint Adams (clint) in the Debian package hopenpgp-tools and dkg's recommended settings has been put together in a gpg.conf file by Jacob Appelbaum (error). Please check your key with clint's hokey lint command and use error's gpg.conf file as explained in dkg's document.

How will the keysigning happen?

The keysignings will be based on the Efficient Group Key Signing Method by Len Sassaman and Phil Zimmermann which is a protocol to do keysignings in a way that is faster than the way many people may be familiar with.

The deadline has now passed. If you haven't submitted your keys yet, it's too late to get your keys on the list. It's not, however, too late to participate altogether. Bring paper slips or business cards with your gpg fingerprint.

The keysigning steps follow.

Please check that your version of gpg does support the export-clean option.
Please do not encrypt your email.
Please do not send attachments.
Please do not encode your email.
Example with two keys 0xfedcba98 and 0x76543210, signature is made with both keys 0xfedcba98 and 0x76543210:
gpg --armor --export-options export-clean,export-minimal --export 0xfedcba98 0x76543210 > publickeyblock
Then clear-sign publickeyblock with your keys 0xfedcba98 and 0x76543210 creating publickeyblock.asc:
gpg --local-user 0xfedcba98 --clearsign --local-user 0x76543210 --clearsign publickeyblock
Then email publickeyblock.asc as so:
mail -s "KeySigning Party @ DebConf15" < publickeyblock.asc
Same example as a one-liner:
gpg --armor --export-options export-clean,export-minimal --export 0xfedcba98 0x76543210 | gpg --local-user 0xfedcba98 --clearsign --local-user 0x76543210 --clearsign | mail -s "KeySigning Party @ DebConf15"
Another one-liner:
(echo -e "To:\nFrom: Your Full Name <>\nBcc:\nSubject: KeySigning Party @ DebConf15\n"; gpg --armor --export-options export-clean,export-minimal --export 0xfedcba98 0x76543210 | gpg --local-user 0xfedcba98 --clearsign --local-user 0x76543210 --clearsign) | sendmail -t
Another one-liner (by Philip Hands):
( KEYS="0xfedcba98 0x76543210" ; \
gpg --armor --export-options export-clean,export-minimal --export $KEYS | \
gpg $(for k in $KEYS; do echo "--local-user $k --clearsign"; done) | \
mail -s "KeySigning Party @ DebConf15" \
At, if you want your name linked to your photo, send an email to
At both the keyring and text files will have corresponding files with their SHA256 checksums. The SHA256 files will be signed with public key 0x947897D8, which can be downloaded from or
To verify the signature of the SHA256 files, download anibal's key from, e.g.:
finger anibal/ | gpg --import
And then run gpg with the verify option (using ksp-dc15.txt.sha256.asc as an example):
gpg --verify ksp-dc15.txt.sha256.asc
sha256sum ksp-dc15.txt
It is very important that you have verified at home the fingerprints of your keys on the hardcopy.
It is also very important that you have computed the hash at home.
For each participant:
  1. Compare the hash you computed with the other participant (it will be recited loudly).
  2. Ask if the other participant's gpg fingerprints on the hardcopy are correct.
  3. Verify each other's identity by checking preferably a passport or, alternatively, some other form of government issued ID. Please don't show very old, doubtful or easy-to-fake documents as people will not sign your key if you do so.
  4. If you are satisfied with the identification, mark on your hardcopy that the other participant's gpg fingerprints are correct and the other participant has been identified.
Please use caff to sign keys, one of the scripts of pgp-tools. The scripts are also available as the debian package signing-party.



What to bring with you


If you have questions please send them to the mailing list at If you don't want to post to the mailing list, send your questions to,


Special thanks goes to Benjamin Mako Hill who provided the scripts and text used at DebConf4, Peter Palfrader who provided the scripts and text used at DebConf3 and LinuxTag (2003 and 2004) whose reuse made putting together this keysigning easy and possible.