How to hold a keysigning meeting: Step by step instructions

(Taken from
(For smaller groups you might prefer this method)

Before the meeting

  1. Each participant e-mails a pgp -kxa of her/his own public key to a person who is the designated Key Repository (KR) for the meeting.
  2. KR forwards each key he/she receives to all the other participants, so that everyone will have all pertinent keys.
  3. KR adds each received public key (including her/his own) to a special keyring (specring.pgp) using pgp -ka <keyfilename> specring.pgp, once all the public keys for the meeting have been gathered.

During the meeting

  1. The participants gather, and KR distributes photocopies of the printout of a pgp -kvc specring.pgp, so that everyone has a list of relevant key fingerprints.
  2. Each participant in turn reads aloud his/her own public key's fingerprint, based not on the printout, but on her/his private pgp -kvc of his/her own public key. Everyone else compares the fingerprint that was read aloud with the fingerprint that is supposed to correspond to it on the printout.
  3. Each participant in turn provides positive photo ID. Everyone else who accepts that ID marks that person's verified fingerprint on the printout, to indicate that the public key in question is signable.

After the meeting

  1. Participants wishing to verify not only the identities of other participants but also the validity of the e-mail addresses appearing in the user-ID field of the public key to be signed may take the additional step of exchanging, via the e-mail addresses on the public keys, secret passwords exchanged in person at the keysigning meeting.
  2. Privately, each participant signs those keys for which acceptable ID was provided, extracts each newly signed key using pgp -kxa, and e-mails the extracted, newly-signed key to its owner.
  3. Each participant who receives a newly signed copy of her/his own public key should add that key to his/her own public keyring using pgp -ka. When all expected signatures have been added, the participant should (re)submit her/his public key to a keyserver, so that the new signatures can be widely distributed.
  4. KR should delete specring.pgp, which is no longer necessary.

Also, for smaller groups, webules, or privemes, you may want simply to exchange to slips of information suggested by Martien Remijn, containing your key's data.

Cut the following passage, insert the fingerprint of your own public key, and print it. Sign the printouts by hand, and give them to your friends. - Peter.

I no longer have Martien's version of this, but here's my mock-up:

Please sign my PGP public key

This piece of paper will allow you to assess the validity of my PGP public key. Verify who I am by asking me for my identification.

Now, this paper will link me to the public key which can be obtained from the various pgp public key servers. Once you have the public key in your possession, you can verify whether the result of the fingerprint command (pgp -kvc) is the same as the fingerprint printed below. If it is, then you can be sure you have my key.

Type bits/keyID    Date       User ID
pub  1024/3CE27349 1994/05/27 David C. Byron 
Key fingerprint =  A4 57 4D 7F F9 87 EC E4  D9 15 C3 D8 6A 9F 60 0B
If you are sure that I am the person whose key is on the public key servers, you might consider signing that key. Don't worry about any disagreeable things I might do. Singing a key only means that you are sure that a specific person with a specific name [me] claims to be the owner of a specific Email address and a specific public/secret key pair. Signing doesn't mean that you think I'm a nice person! After you sign my key, please encrypt it with my public key and send it to my Email address.

Would you like me to sign your PGP public key?

If you identify yourself and give me your key ID and key fingerprint, I will probably sign your key and send it to you.

If you don't have a PGP public key...

...but are interested in using one, I could help you begin using PGP by signing one key (1024 bits) that you generate in the upcoming 2 weeks. If you wish to do this, I advise you to read the two PGP-documents and the PGP-faq first. You may Email me for information about where to find PGP, the PGP-documents, the PGP-faq, or tools to use PGP with your favorite operating system. If you identify yourself now, you can include the unique random string at the bottom of this paper when you send me your newly created key later. I will write down this random string with your name, Email address, and the date I gave you this paper. If I receive your 1024-bit, self-signed public key with the correct random string, name, and Email address encrypted with my public key within 14 days, I will probably sign your new key and mail it back to you. If any of the pertinent information fails to match, then I will not sign the key! Keep the random string secret until you have received your signed key from me. It's in your own interest.


Your Name:                                                 ID verified?:________
Random String:                                             Date:

PGP main page
My Homepage
UNIX-AG Homepage