In order to help make a digital signature trustworthy you can ask people you know who also own gpg identities to sign yours. This in turn allows for the web of trust to be bootstrapped by people signing and verifying each others gpg identities.

In order to sign a gpg identity, one needs to :

  • Import the user’s public key, (mine can grabbed from here):
    gpg --import somePubKey.asc
  • Check the identities fingerprint:

    gpg --fingerprint PubKeyHexValue

  • Given that you are convinced the key belongs to whoever you think it should, sign the key:

    gpg --sign-key PubKeyHexValue

  • Send the signed key back to your keyserver:
    gpg --send-keys PubKeyHexValue

I sign all of my emails using my gpg public key, it should be noted that only emails sent from my laptop can sign be signed using this identity. I should thank my former colleagues from the University of Southampton who signed by gpg identity, they have done their little bit to help bootstrap the Web of Trust.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.