GPG/Keysigning
Date: 2023-10-18
Difficulty: Beginner
Delivered By: Skyler Mansfield
What is GPG/Keysigning?
GPG keysigning, a crucial part of the web of trust in OpenPGP/GPG environments, involves users digitally verifying and vouching for the authenticity of each other's public keys. This process leverages asymmetric cryptography.
Users create key pairs:
- A public key (for encryption and verification)
- A private key (for decryption and signing)
When one user signs another user's public key with their private key, it signifies trust and confidence in the key's association with the claimed identity. These trust relationships create a network of verified keys, enhancing the reliability of secure communication and file integrity validation. The web of trust grows as more participants sign each other's keys, indirectly extending trust to keys they haven't personally validated.
Prerequisites
This page shows some of the basics for using GPG software on Windows/Linux/MacOS https://sucss.org/docs/pgp
Windows
For the challanges you need Gpg4Win Software.
Linux
Install the command-line gpg software
sudo apt-get install gpg
For gnome environments, the Seahorse application can manage keys graphically (This assumes you are using Nautilus as your file manager). This integrates with Nautilus to add encrypt/sign/verify/decrypt
options within the file manager.
sudo apt-get install seahorse seahorse-nautilus
MacOS
Install the GPG Toolkit
Challenge
You'll get to create your own keypairs that will enable you to communicate securely with each other and verify that files haven't been tampered with. We'll also be using a key-server so you can sign each others keys and be able to trust people through a web of trust
Session Link
The link to the session is https://gpg.sucss.org/