GPG Key Signing Party

From 23C3 Public Wiki

Jump to: navigation, search


When and where?

Update: Mutax is doing KSP on Day 4 at 15:00h (3 pm) at the Workshop Room.

Meanwhile organise your self. Suggestions: Bring enough fingerprints and wear "I sign your Key" Notice.

What is a keysigning Party?

The main intentention of a keysigning party is to improve your personal web of trust.
When you create a PGP-key, nobody knows if it really belongs to you. (You can create keys for any name you want.) Therefore, people meet at keysigning parties and compare the data on a person's key with his or her passport, any other official documents or by comparing signatures already on that key to those already trusted. If they believe that key and person belong to each other, they will sign your key.

You can improve the trust level of your key and you'll also meet some interesting people. ;-)

As PGP/GPG-keys are mostly used for email, it's very important to check the email address and user name. There are some programs, i.e. caff, which will help do this task. (Note: the link between the name/ID and the email/key isn't ensured by this procedure.) Please look at "Another reason..." at 20C3-Wiki for a further discussion.

What can I do to participate?

registration closed The registration period for the keysigning is now closed. If you want to join the keysigning and have not registered yet, please print out lots of fingerprints and join us.

  1. Download the list of all participants and print it.
  2. Check your key(s) on the list and contact me if there are any mistakes.
  3. Calculate the MD5- or SHA1-hash of the list and enter these value into the corresponding field.
  4. Take the list and your passport to Berlin and enjoy the keysigning party :-)

It is often useful to see which keys you already signed, therefore you can use Uli Martens' gpgsigs-script together with the list of all participants and the public keyring. The script is very simple to use:

gpgsigs keyid [<keyring> [<keytxt> [<outfile]]]

It outputs a list similar to the above mentioned, but shows an "S" in front of every uid that is signed by your key.


Last year there were some problems with the encoding of the file: some people used UTF-8, while others used ISO-8859-1. This resulted in different MD5 and SHA1 sums, which meant that all fingerprints needed to be checked manually. It would be nice if we could all use the same encoding this time.

Because the default encoding of gpgsigs is ISO-8859-1, we will be using the ISO-8859-1 encoding. You can download the file with the correct encoding from To make sure that everybody uses the right encoding, please check whether the first digits of your checksums match these:

MD5 Checksum:  27 5D __ __ __ __ __ __    __ __ __ __ __ __ __ __
SHA1 Checksum: ED50 ____ ____ ____ ____    ____ ____ ____ ____ ____

Hints for signing Usernames

Prior you signing Usernames please read/watch/hear and understand Breaking Down the Web of Trust Video Audio

How does the whole thing work?

We will meet at the above mentioned time and will compare the MD5-/SHA1-values that everyone has calculated for his own. If these values are all equal, everyone has the same version of the list. Hereafter we create a long line and everyone will check fingerprint and passport of its opposite.
When you return home and have recovered from the 23C3-strains, sign all keys which you believe are valid.

Who's participating?

Please see the list of all participants.
Fyio: there is a graph of participants pre the ksp.
You can find a more current graph (as of 2007-01-02) here

Where do I get further information?

If you have further questions about the keysigning party, you may want to have a look at the Keysigning Party HOWTO or just mail your questions to If you have general questions about maintaining your keyring, you should read the GPG Mini HOWTO, the GNU Privacy Handbook or the GnuPG FAQ

Archived page - Impressum/Datenschutz