Logo PHAR.IO

How to get a public key registered with a key server

Prerequisites

Export your public key

gpg --export --armor john@example.com > john_doe.pub

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBEm7B54RBADhXaYmvUdBoyt5wAi......=vEm7B54RBADh9dmP
-----END PGP PUBLIC KEY BLOCK-----
        

About the arguments:

Submit your public key to the key servers

There are currently two common implementations, the modern Hagrid used by openpgp.org and the traditional SKS keyservers. While Phive supports both, the modern pool provided by openpgp.org is checked first.

While you of course can upload your public key to both pools, for phive to find it uploading to either is sufficient.

Upload to openpgp.org

  • Go to a https://keys.openpgp.org/upload
  • Select the file "john_doe.pub" created in the previous step and click on upload.
  • Follow the instructions sent to you by opengpg.org to finish the registration and proof of ownership

Upload to sks keyserver pool

  • Select a keyserver from the pool that provides a webinterface, for instance https://pgp.mit.edu
  • Paste the content of the file "john_doe.pub" unmodified and including the ----BEGIN and ---END lines into the form
  • Click on "submit this key to the keyserver!"

Congratulations, you published your public key.

Please allow a couple of minutes for the servers to replicate that information before starting to use the key.

Alternate way to submit your public key to the key servers using the CLI

gpg --keyid-format LONG --list-keys john@example.com
pub   rsa4096/ABCDEF0123456789 2018-01-01 [SCEA] [expires: 2021-01-01]
      ABCDEF0123456789ABCDEF0123456789
uid              [ ultimate ] John Doe 
            

This shows the 16-byte Key-ID right after the key-type and key-size. In this example it's the highlighted part of this line:

pub rsa4096/ABCDEF0123456789 2018-01-01 [SCEA] [expires: 2021-01-01]

The next step is to use this Key-ID to send it to the keyserver, in our case the MIT one.

gpg --keyserver pgp.mit.edu --send-keys ABCDEF0123456789

Congratulations, you published your public key.

Please allow a couple of minutes for the servers to replicate that information before starting to use the key.

General notes on Security

  • A keyserver does not make any claims about authenticity. It merely provides an automated means to get a public key based on it's ID. It's up to the user to decide whether the result is to be trusted, as in whether or not to import the pubic key to the local chain. Do not blindly import a key but at least verify its fingerprint. The phar.io fingerprint information can be found in the footer.
  • Instead of using a keyserver, public keys can of course also be imported directly. Linux distributions for example do that by providing their keys in release-packages or the base OS installation image. Phive will only contact a keyserver in case the key used for signing is not already known, a.k.a can not be found in the local chain.
  • A single key is not a chain. Other people or organizations, potentially someone trusted, need to sign your key with theirs, increasing the level of trustworthiness and forming the actual chain. It's actually the same as with TLS certificates where a CA like letsencrypt signs your key and since your browser trusts letsencrypt it also trusts your key/certificate. Most projects though do not co- or cross-sign their release keys.