tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/1625-signing-a-keyGPGTools: Discussion 2017-09-14T11:54:03Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/178293912012-08-10T19:08:01Z2012-08-10T19:08:01ZSigning a key?<div><p>Hey Bill, I'm working on an FAQ about Web of Trust and key
signing. It's not ready yet so I'm copy pasting what I have so
far:</p>
<p>If you have no clue, what the web of trust is, the best starting
point is the according <a href=
"http://en.wikipedia.org/wiki/Web_of_trust">Wikipedia article</a>.
I'd suggest that as a starting point.</p>
<p>If you're more the <a href=
"http://en.wikipedia.org/wiki/Wikipedia:Too_long;_didn%27t_read">tl;dr</a>
type of person, here's a short explanation by Phil Zimmermann in
the 1992 manual for PGP version 2.0:</p>
<blockquote>
<p>-- <cite><em>"As time goes on, you will accumulate keys from
other people that you may want to designate as trusted introducers.
Everyone else will each choose their own trusted introducers. And
everyone will gradually accumulate and distribute with their key a
collection of certifying signatures from other people, with the
expectation that anyone receiving it will trust at least one or two
of the signatures. This will cause the emergence of a decentralized
fault-tolerant web of confidence for all public
keys."</em></cite></p>
</blockquote>
<p>Important: No, you should not sign every single key you have in
your keychain.</p>
<p>Does that help already? Key signing is done via GPG Keychain
Access and there in the key inspector.</p>
<p>Let me know if that info is sufficient or if you need more
advise.</p>
<p>All the best,<br>
steve</p>
<hr>
<p>Please consider a <a href=
"https://www.gpgtools.org/donate.html">donation</a>. We do all this
in our spare time.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/178293912012-08-11T03:32:06Z2012-08-11T03:32:07ZSigning a key?<div><p>Ok, so I would only sign a key that I am absolutely sure of the
identity of the key owner.</p></div>Billtag:gpgtools.tenderapp.com,2011-11-04:Comment/178293912012-08-12T16:23:14Z2012-08-12T16:23:14ZSigning a key?<div><p>Hey Bill,<br>
no that's also not the case. Open GPG Keychain Access and double
click the key you'd like to sign. Then go to the second tab
(User-IDs) then in the bottom field click "+". There you can also
choose the level on which you checked the identity. So you can also
set that to "I didn't really check anything" but then the question
is, why you would wanna sign the key.</p>
<p>So as you see, it's like grey colors. Neither white not black
and no simply answer.</p>
<p>But having your friends sign your key and singing theirs is in
general a good idea.</p>
<p>Cheerios,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/178293912012-08-24T16:49:23Z2012-08-24T16:49:23ZSigning a key?<div><p>No further user feedback. Closing.</p>
<p>@Bill: Should your problem persist, feel free to re-open this
discussion any time.</p>
<p>All the best,<br>
steve</p></div>Steve