Keysigning @ DebConf17


As part of the 18th Debian Conference in Montreal, Canada there will be OpenPGP (pgp/gpg) keysignings.


The time and venue of a discussion/information session about the keysigning in particular and modern cryptography in general will be announced during DebConf17. It may be followed by a number of keysignings of small groups of people.

What is keysigning and why do it

A keysigning party or meeting is a get-together of at least two individuals who use the PGP encryption system with the purpose of allowing them to sign each others keys. Keysigning parties serve to extend the web of trust (WoT) to a great degree. A useful metric of the WoT is the mean shortest distance (MSD) of a key.

Please read chapters one and two of the GnuPG Keysigning Party HOWTO (note: we are doing the party differently, so the other chapters do not apply completely).

Don't you have a strong key yet?

The Debian Project has moved to GPG keys with stronger ones using SHA256 or better. Please read:

The process to create a new key is documented at

If you plan to migrate your WoT, you should read "HOWTO prep for migration off of SHA-1 in OpenPGP" at by Daniel Kahn Gillmor (dkg).

Check your key and fix any problem with your key

Please read the document "OpenPGP Best Practices" by dkg which is available at Its OpenPGP key checks have been implemented by Clint Adams (clint) in the Debian package hopenpgp-tools. Please check your key with clint's hokey lint command.

How will the keysigning happen?

The keysignings will be based on the Efficient Group Key Signing Method by Len Sassaman and Phil Zimmermann which is a protocol to do keysignings in a way that is faster than the way many people may be familiar with.

The deadline has now passed. If you haven't submitted your keys yet, it's too late to get your keys on the list. It's not, however, too late to participate altogether. Bring paper slips or business cards with your gpg fingerprint.

The keysigning steps follow.

Please check that your version of gpg does support the export-clean option.
Please do not encrypt your email.
Please do not send attachments.
Please do not encode your email.
Example with two keys 0xfedcba9876543210 and 0x0123456789abcdef, signature is made with both keys 0xfedcba9876543210 and 0x0123456789abcdef:
gpg --armor --export-options export-clean,export-minimal --export 0xfedcba9876543210 0x0123456789abcdef > publickeyblock
Then clear-sign publickeyblock with your keys 0xfedcba9876543210 and 0x0123456789abcdef creating publickeyblock.asc:
gpg --local-user 0xfedcba9876543210 --clearsign --local-user 0x0123456789abcdef --clearsign publickeyblock
Then email publickeyblock.asc as so:
mail -s "KeySigning Party @ DebConf17" < publickeyblock.asc
Same example as a one-liner:
gpg --armor --export-options export-clean,export-minimal --export 0xfedcba9876543210 0x0123456789abcdef | gpg --local-user 0xfedcba9876543210 --clearsign --local-user 0x0123456789abcdef --clearsign | mail -s "KeySigning Party @ DebConf17"
Another one-liner:
(echo -e "To:\nFrom: Your Full Name <>\nBcc:\nSubject: KeySigning Party @ DebConf17\n"; gpg --armor --export-options export-clean,export-minimal --export 0xfedcba9876543210 0x0123456789abcdef | gpg --local-user 0xfedcba9876543210 --clearsign --local-user 0x0123456789abcdef --clearsign) | sendmail -t
Another one-liner (by Philip Hands):
( KEYS="0xfedcba9876543210 0x0123456789abcdef" ; \
gpg --armor --export-options export-clean,export-minimal --export $KEYS | \
gpg $(for k in $KEYS; do echo "--local-user $k --clearsign"; done) | \
mail -s "KeySigning Party @ DebConf17" \