[Q] Uploading my public key to a key server.

Neil Williams linux@codehelp.co.uk
Sun May 11 12:23:02 2003 

--Boundary-02=_QTiv+NPeI/+REui
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Description: signed data
Content-Disposition: inline

On Sunday 11 May 2003 4:07 am, Daniel Carrera wrote:
> > > Alright, I have a brand-new 2048-bit ElGamal key and I want to
> > > upload it to a keyserver.  How do I do that?

> Who assigns the keyid?  Is that derived from my public key?

Yes. The keyid is part of the keypair. When you generate a new key, a new 
keyid is calculated. (It was displayed when you created the key.)

> If so, who do I find out what my keyid is?

You get the keyid from the --list-keys output:
gpg --list-keys

pub  1024D/28BCB3E3 2002-01-27 Neil Williams (CodeHelp) <linux@codehelp.co.uk>

The keyid follows the / so mine is 28BCB3E3.
pub = public key
1024 = keysize
D = keytype (I think)
then the creation date, name, comment and email address.

List the keys, locate your own (sounds like you only have your own or maybe a 
few others in your ring so far) and make a note of it. With more use of 
GnuPG, you'll be able to remember the keyid. You'll need the keyid for all 
your future work with GnuPG and if you want to use other email clients - like 
KMail - to sign emails.

> For that matter, how do I find out what my public key is so I can post it
> somewhere?

The public key should be exported as a text file and then you can post it to a 
site, either as a .txt file or as .asc - take a look at 
http://www.codehelp.co.uk/html/neilwilliams.html

To create the file, use:
gpg -a --output mykey.asc --export <keyid> 

You can then view the contents of the file to verify that it contains a 
keyblock:
cat mykey.asc

> > Indirectly it does.  When you sign a message, the keyid of the
> > signing key is included in the signature.
>
> Could you show me where?  Here is your signature.  I can't discern where
> the keyid is (yes, I know you also had your keyid elsewhere in your email,
> but not everyone does that).

The way that the signature is displayed is down to your choice of email 
client. I use KMail which clearly shows the keyid of all signed emails, my 
own and everyone else's, between the headers and the body of the message. 
Others here should be able to help you find the keyid and verification 
details in Mutt.

> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2 (GNU/Linux)
> >
> > iD8DBQE+vbq8cieIIFcDdHIRArPhAJ9Z4u+gH5noEUxwJsPY38vfE5q/YgCfd3NB
> > mZpb4qvkGSeFUnMwSo9Osdo=
> > =tLPX
> > -----END PGP SIGNATURE-----

The keyid is retrievable from this sig but only with the original email. It 
depends on how the email has been constructed and the easiest ones I've 
verified on the command line are ones that use the old 'inline' signature, 
not the MIME type (as used in this email). I'm not sure how Mutt helps you 
distinguish between the two as KMail does.

I think you are referring to the email from Brian Minton sent on Sun May 11 
03:51:41 2003 - this is actually an 'inline' message. Save this email to a 
file (unchanged) with a simple filename: test.asc and use gpg to verify:

gpg --verify test.asc

gpg: Signature made Sun May 11 03:51:40 2003 BST using DSA key ID 57037472
gpg: Good signature from "Brian Minton <brian@minton.name>"
gpg:                 aka "Brian Minton <bminton@efn.org>"
gpg:                 aka "Brian Minton <minton@csc.smsu.edu>"
gpg:                 aka "Brian Minton <minton@math.smsu.edu>"
gpg:                 aka "Brian Minton <bminton@freeshell.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 81BE 3A84 A502 ABDD B2CC  4BFD 7227 8820 5703 7472

The keyid is clearly shown. The key is not certified because I haven't met 
Brian to exchange and verify the key so I haven't signed it. You should get 
the same warning. Don't start signing keys until you've learnt more about key 
verification, keysigning events and fingerprint verification. (Most of the 
keys I have signed have also signed my own key. gpg --list-sigs will show 
those - most will show up as unknown because they aren't members of this list 
but all are available from keyservers.) Before I signed these keys, I 
verified their email addresses over a period of many months of private and 
list correspondence (using mostly signed emails), I arranged a meeting with 
the people concerned, verified photographic ID for each one to match the name 
against the physical person (new photo type driving licence or passport) and 
then verified the fingerprint of the key with a printed copy given to me by 
that person at the meeting. Each stage is important to make sure you really 
do have the right person, the right email address and the right key - by 
signing a key, you are claiming to have verified all three as accurate.

>
> Thanks again,

-- 

Neil Williams
=============
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/


--Boundary-02=_QTiv+NPeI/+REui
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+viTQiAEJSii8s+MRAhRmAKCEBQ1JBmf8keFd3rzCvjJaI63ijACgxqQn
OjTNIP7nrXYPi3MDLvVh3vg=
=nlzJ
-----END PGP SIGNATURE-----

--Boundary-02=_QTiv+NPeI/+REui--