Hi Everyone,
I get asked about keysigning occasionally, and tend to sign other people's GPG encryption keys that I meet at conferences. For kernel developers, this is mostly important so they can send signed git pull requests as well as apply for a user account on kernel.org to host their kernel developers. Other communities such as Debian rely on GPG encryption for additional uses, so I generally recommend all developers to have a GPG key and have at least three signatures from others on it. See [1] for more information on this.
We have done keysigning parties during Connect in the past, and other conferences have done the same thing. However, this takes a lot of preparation work, and requires that everyone shows up at the same time in a room as well as other downsides.
For the coming BKK19 meeting, I would propose a slightly organized but ad-hoc method: Everyone who has a GPG key or who is in one of the groups of people that may need one in the future, please prepare the following steps:
- Make sure that you have a valid GPG key, with at least 2048 bits. If you don't have one, create a fresh RSA-4096 key as documented
- Make sure that you have Linaro business cards with your current full key fingerprint on them. The fingerprint will look like "88AF CD20 6B16 1195 7187 F16B 60AB 47FF C909 5227" If you do not have Linaro business cards, or they do not have the fingerprint on them, order new business cards from [2] as Linaro employees, as described in CascadeGoCloud -> Company-Handbook -> Employee Information. For assignees and member engineers, follow your company procedures. [Question: we used to have Linaro business cards for assignees as well, could we bring that back?]
Then during Connect, try to find those people you closely work with, as well as anyone new to the company, and exchange business cards. Make sure that the cards you hand out actually have the correct key printed on them if you are paranoid.
Once you get home, download the gpg keys from everyone you got cards from, check that the fingerprint matches, then sign and upload them. Note that you should not normally have your own master key on the laptop you travel with, so I assume this will have to be done afterwards.
Arnd
[1] https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html [2] https://printerbellomarket.co.uk/site/login/linaro