debian mentors/ glossary/ Key-signing


Key signing is where one person uses their GPG key to sign that of another person. Doing this is intended to show that the first person believes that the key matches the identity attached to the key, and the person owns the key and has kept the private part of the key safe.

This should only be done if you are sure that the person you have met owns the key you are signing. This is usually done by exchanging key fingerprints at a face-to-face meeting, and cheking some identification of the other person.

The combination of all the signature on all the keys is known as the web of trust, and it is possible to use this as a trust metric for someone you have never met, but this is fraught with problems.

The NewMaintainerProcess requires that an applicant have a key that is signed by at least one existing DebianDeveloper.

Key-siging often takes place at a key-signing party (KSP), where many people all meet each other and agree to sign each other's keys. Debian usually has a key-singing party at any large event, such as DebConf. There can be problems with this, as demonstrated at the DebConf6 KSP.