How to get your first key signed

Robert J. Hansen rjh at sixdemonbag.org
Wed Sep 30 21:58:51 CEST 2015


> I create for myself a gpg key and want to get it signed

More important than whether your certificate gets signed is who signs
the certificate, who they are connected to, and so on.

Some people will sign almost anything.  People who get a reputation for
signing anything develop a reputation for their signatures being
meaningless.  Some people have very strong requirements before they'll
sign.  Their signatures are often worth quite a lot of credibility, but
good luck getting them.

The good news is this *can be done*.  I promise.

The best thing you can do right now is to get involved in the community.
 Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
three good ones).  And when you post, sign your messages.  Over time
people will come to trust that your signature connects to the real you,
even if they can't promise that your name really is David Niklas, or
can't say what you look like.

Once you've got a couple of years' track record of consistently using
the same certificate, consistently contributing to mailing lists and
FOSS projects, consistently being part of the solution and not part of
the problem ... I promise, you'll find people who are willing to vouch
for you.

There is no quick way, no shortcut.  But I think you'll find that
although it takes a while, it isn't hard, either.  :)

> Now, I'm a student (think penny less), and live in a rural area 100mi
> from the nearest LUG and people out here are _very_ computer illiterate
> to the point where educated people think that turning a computer off
> will damage it, or that the computer loses power (1GHz becomes .2GHZ),
> as it grows older.

I grew up on a farm in the middle of nowhere.  I know *exactly* what
that's like.

> I want to develop FOSS and feel obligated to get a key to protect uses
> of the software I'm modifying from MITM attacks.

So, first, host your software publicly, somewhere that it's easy to
find.  GitHub works great, but there are a lot of options.  On whatever
page you use for your FOSS work, put a notice that says "My GnuPG
certificate is 0xDEADBEEFDECAFBAD, and you can download signatures for
all the tarballs over here."

It works.  Seriously.  :)

Welcome to the community!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150930/d9c933ae/attachment-0001.sig>


More information about the Gnupg-users mailing list