After a user generates his own GPG keypair, the very next step is to exchange the public key with others with whom the user wants to have encrypted communications. The user also needs to sign his own GPG keys as well as those of others. Now, what is the signing of public keys, and why should we do that? And how can users exchange GPG public keys? Let’s understand that in more detail.
What is the signing of GPG keys?
A user’s public key can be distributed to all. A secure channel is not required for public key distribution. So, an attacker can easily forge someone’s public key if proper precautions are not taken.
When a user gets someone’s public key, the user must be certain that it is indeed the sender’s public key and not of someone else. To do that, GPG uses a concept called the signing of keys.
A user can sign a GPG key to vouch for the authenticity of the key. When a user receives someone else’s public key, the user can look at who all have signed the public key to get an idea of whether the public key can be trusted. If the user sees any trusted person has signed the key, the user will know the public key is a trusted one.
If, for any reason, any of the signed user IDs are tampered with, the user will get a message “Bad Signature” while listing the key or importing the key to his keyring.
How to sign a GPG key?
One can sign a GPG key with the following command:
# gpg --sign-key <keyid>
How to list the signatures of a GPG key?
One can use the following command to look at who all have signed a particular public key:
# gpg --list-sigs <user-id>
Why should I sign my own GPG key?
One should also sign one’s own key. It will give the key a certain level of trust that the key is …
0 Comments