Getting your PGP key signed by CAcert

If you want, you can have your PGP/GPG Key signed by CAcert. This pages tells you what to do.

Pre-Requisites

Why get your PGP key signed by CAcert?

Having a CAcert signature on your PGP keyring signifies that your identity has been verified (assured) by at least two other people (that's the only way to get more than 50 Assurance Points). So it gives credibility to your PGP keys' authenticity. As an example of why this might be necessary let's consider a sample keyring I keep around to illustrate this very thing when I introduce newcomers to PGP:

I have a key named "Brad Pitt". It has signatures on it from "Jennifer Aniston", "George W. Bush", "Madonna", and scores of other eaily-recognized names. Now, the fact that I have the secret passphrases and can use these to sign emails and send them to you shouldn't automatically make you think that these keys are from the people you *think* they're from! Right?

So having a high-trust CAcert key signature on your pgp key lends your key credibility. If you know the key-signing policies of CAcert (or Thawte, or anyone else for that matter) and you know that they are sufficiently trustworthy (One of PGP's concepts of trust) then you may conclude when you see a key with that signature attached, the person is who they are claiming to be, and not an imposter wishing to defraud you in a transaction or smear your name on a newsgroup.

What do I need to submit to CAcert

NEVER export or submit your Private Key!

Please submit you Public Key to the form you find on CAcert, GPG/PGP, Add. It should look like

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Key Server 0.9.6
mQEMBEKCKzQBCADJ+FrXcdN9/t7ZWtPPuDpURCHSQmiyzaqRqK1SJAUZv1KmNiBx
ojT893x26r+wcZSVEU02U06FHDUV/KWLWmUkxTqBenAh+L1qWEiZNv2SH4WArFjc
3Isv9TYTR28dGEthPlkyFgfWNIwkd2GRdi4ozmQlzORpape+JzuCpCgHbPwkhCaF
[...]
-----END PGP PUBLIC KEY BLOCK-----

You should find your key on the keyservers (e.g. https://pgp.surfnet.nl/ - just search for your name), if you uploaded it to the keyserver network. Otherwise there should be a function "Export Public Key" in you PGP/GPG software.

For gnupg use:

gpg --export --armor KEYID

where KEYID can be your name as well. Just make sure it only matches exactly one key (try --list-key before)

Getting your PGP key signed by CAcert

The most important thing to note when having your GPG key signed by CAcert is that the name on your key must match *EXACTLY* the name in your certificate. If they do not match, then your key will be returned unsigned.

Take the following steps to have your key signed:

  1. Login to the CAcert webpage and submit your public key (submission area only appears if you have at least 50 assurance points).

  2. Wait for a mail with your signed public key.
  3. Import the key from the email in your keyring. (gpg should report a modified key)
  4. Import the CAcert key in your keyring.
    • CACert GPG key available here

    • Their Key ID & fingerprint is 65D0FD58 / A31D 4F81 EF4E BD07 B456 FA04 D2BB 0D01 65D0 FD58

  5. Upload the changed key to the keyservers: gpg --send-keys SOMEKEYID

If you want to verify the signature you can use gpg --list-sig to be certain that your key is signed by the CAcert key. This is how CAcert signed keys can be checked by third parties.

When your key name varies from your certificate name

In the event that your GPG key name varies slightly from what's in your certificate there is a workaround, which while messy, works, and only has to be done 1 time:

  1. Make a backup of your keyring for safekeeping!
  2. Remove all keyids whose email address you have not 'verified' through the system.
  3. Add a keyuid of the correct name. For example, if your certificate has "William Doe", but your GPG key has "Wm. Doe", then add a keyid named "William Doe" and delete the "Wm. Doe" keyid. (Don't worry - it's only temporary!)
  4. Have your key signed by CAcert.
  5. Once your key is signed, re-import your previously removed keyid's from your keyring backup you made in step 1.

Why do I only get a sig for my key and not a sig3?

man gpg

0 means you make no particular claim as to how carefully you verified the key.

This isn't the lowest trust level - it just means that there is now information about how carefully your ID has been checked.

The main problem is, that CAcert hasn't personally checked your fingerprint or key. Anyone with access to your CAcert account could have submitted his/her key to get a signature from CAcert.

RSA keys

A possible problem:

Is there a problem with signing RSA keys? I tried it, and the system does something, (the key that it returns is different), but both gpg and pgp do not show any signatures from cacert. I just tried it with
my DSA/El Gamal key, and it works fine.

For me it worked fine to get my PGP RSA key signed by CAcert. I use PGP 7.0 and only use RSA keys (2048 bit). Try this, it might help: When exporting the key from PGP do unmark "Include PGP extensions" so that the exported key is a "clean" standard key.

Including a CAcert certificate in your OpenPGP keyring

/!\ NOTE: This only works with PGP; not GnuPG (GPG)

To import a X.509 keypair, simply drag and drop your PKCS#12 certificate file (filename.PFX or filename.P12) into PGPkeys or import from Keys - Import.

If you don't know how to backup your X.509 certificate with private key, you do it from: Internet Explorer --> Internet Options - Content / Certificates / Personal, by selecting your certificate and Export with private key to PKCS#12 certificate format. From Netscape, it's Edit - Preferences - Privacy and Security - Certificates / Manage Certificates / My Certificates, and Backup the selected certificate.

(See http://www.minstrel.org.uk/wot-faq/q1.html for more info)

ConvertingCertificateToPgp

Problem : my key is attached to several emails ... to be verified

(posted on July 18th 2005)

>Message:
>> I tried to upload my pgp key, but got the following error, which I can see why it failed if it's chopping off the ends of my email address:
>>
>> No suitable emails could be matched from your PGP/GPG keys to what we have in the database. ('lan@rdrop.co')
>>
>> Here's the key in question:
>>
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> Version: GnuPG v1.2.3 (FreeBSD)
>>
>> mQCNAzEW55MAAAEEANU5C0ZbqoGRph6hjiUPquyZpXAtjNgZICMjbotsOeXuKOlp
>> UgOh06jrcdORhsLyd1m3cTUkifTfwqQUWQjoU/WP4lVpbaEsRMNtc8a/rDjA2FLU
[...]
>> -----END PGP PUBLIC KEY BLOCK-----

I also ran into this problem. A revoked user id was still marked as primary in my key. Instead of deleting anything I tried this:
$ gpg --edit-key 0x89074FAD
[...]
[ultimate] (1). Michael Alexander Kallas<valid@address.org>
[ revoked] (2)  Michael Kallas <revoked@address.net>
command> 1
command> primary
[Mantra must be entered]
command> save
$ gpg --armor --export-options export-minimal --export 0x89074fad
This exported key was accepted without problems.
(Be careful to copy'n'paste only until the last --- because pasting the whole last line with white space won't work, at least not ATM).

Dear Alan,
I've imported your attached key to my keyring, that says this key belongs
to alan at batie dot org ,batie at rdrop dot com, batie at agora dot
rdrop dot com, alan at rdrop dot com
I got same error, when my key contains more than one e-mail address.
Here is the work around:
1.) save your keyring (private & public ) eg. export
2.) edit your keyring
        eg: gpg --edit alan at batie dot org
3.) add new uid lan at rdrop dot co
4.) remove not registered  uids (addresses) (don't worry this is
temporary)
5.) save changes
6.) export your public key eg.: gpg --armor --export alan at batie dot
co
7.) uplodad the output
8.) import removed uids
I hope this will help you.
Regards,
Tamas alias TamsA

Hi Peter and Guillaume,
There have been several folks who posted about running into this
problem. I am one of them. In my case, it appeared to be because my
real name in my GPG UID is "Jeff Keys", while it is "Jeffrey Keys" to
CAcert.  I just tried it again, following the instructions to first
export my key to a file, then edit it to add a new uid with a real
name that matches, and remove the uid(s) that don't. Then save it,
export an ascii-armored copy and paste it in the textbox at "New"
GPG/PGP Keys.
Again, I got the same result: "No emails found on your key". Then I
added a line feed at the end of the text box by hitting the Enter key,
and tried again. THIS time, it worked. This tells me there is a PHP
bug; I seem to recall seeing one already in Mantis. This should help
in closing it.
After the successful attempt, Peter, I received an e-mail with a link
back to the signed key, and after creating a text file containing it
(with no added line feed!), I successfully imported it back to my
keyring... and then of course reimported the original key with the
other signed uids.
Best Regards,
Jeff Keys
On 5/25/06, Peter Vitt <petervitt   web.de> wrote:
> As I have written in my request, the error is: "No emails found on your
> key". This error is given by the CACert-Homepage when I want to upload
> the certificate to get it signed.
>
> Guillaume ROMAGNY schrieb:
> > Hi Pete,
> >
> > I am afraid the signature is provided instantly
> >
> > You have to redo the process and tell us what error message you can read
> >
> > Best regards,
> >
> > Guillaume, who's using a dvorak keyboard
> >
> > CAcert-Website a écrit :
> >> From: Peter Vitt
> >> Email: petervitt              web.de
> >> Subject: Problems with Certificates
> >>
> >> Message:
> >> Hello,
> >>
> >> After I was assured by several people I tried to get my certificate
> >> signed by CACert-Rootcertificate. I pasted my cert under GPG/PGP Keys.
> >> Until then everything looked ok. Then I waited several days to get my
> >> certificate signed. Nothing happened. I updated my keyring nearly 12
> >> times a day. So I tried it again. Perhaps I did anything wrong. But
> >> again, my certificate didn't
> >> get signed. My next thought was about the keys algorithm. I tried it
> >> with RSA. No go.
> >> Perhaps the keylength? 1024? 2048? 4096? Again no go.
> >> Several days ago a classmate told me that I have to reimport the
> >> certificate that I can access on my CACert-memberarea under "view
> >> PGP/PGP Keys" when I
> >> click on one of the mailadresses there.
> >> But the problem is that I havent any working certificate left. I tried
> >> so much certificates to get signed that I afterwards cleaned my keyring
> >> and revoked every certificate I made during the testphase.
> >> As I created a new certificate today and tried to upload it to the
> >> CACertpage and get it signed, the page says "No emails found on your
> >> key" after clicking on the submit button. I tried it again with several
> >> certificates, none is working.
> >>
> >> 1) Why cant I upload another certificate?
> >>
> >> 2) Am I just able to get ten certificates signed by CACert? Because I
> >> can see ten certificates on the CACertpage (all revoked).
> >>
> >> 3) How can I revoke these certificates?
> >>
> >> Hope to hear from you soon
> >>

Problem : CAcert signature on PGP key with picture attached to it

A possible problem:

There was a problem with signing a PGP which had a picture attached to it.
The workaround which solved the problem:
1) Remove picture from key
2) Get a signature from CACert for the key
3) Re-attach the picture to the key
At least this procedure solved the problem once...

Misc

Please if you're in trouble with gpg key signing, try to --export-minimal his key, and try each user-ids in the key alone, so you should be ableto get your key signed when it's stripped correctly

Problem : CAcert doesn't sign keys with more than one uid

CAcert doesn't sign keys with more than one uid, as result you get the same key you provided without any signature on it.

If your key looks like mine (the mail addresses were mangled), it wont work out of the box.

$ gpg --list-keys foo@bar.com
pub   1024D/DA23A600 2006-11-30
uid                  Foo Bar <foo@bar.com>
uid                  Foo Bar <foo@bar.net>
uid                  Foo Bar <foo@bar.org>
sub   2048g/1C8F17DD 2006-11-30

you will have to split them to get one by one signed, so export your secret key...

$ gpg --export-secret-key foo@bar.com > signing-key-foo@bar.com.seckey
$ chmod 600 signing-key-foo@bar.com.seckey

and for each UID, import on a temporal homedir, then remove the "other" UIDs, export and get signed.

$ mkdir test
$ chmod 700 ./test
$ gpg --homedir ./test --import signing-key-foo@bar.com.seckey
gpg: keyring `./test/secring.gpg' created
gpg: keyring `./test/pubring.gpg' created
gpg: key DA23A600: secret key imported
gpg: ./test/trustdb.gpg: trustdb created
gpg: key DA23A600: public key "Foo Bar <foo@bar.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ gpg --homedir ./test --list-keys
./test/pubring.gpg
------------------
pub   1024D/DA23A600 2006-11-30
uid                  Foo Bar <foo@bar.com>
uid                  Foo Bar <foo@bar.net>
uid                  Foo Bar <foo@bar.org>
sub   2048g/1C8F17DD 2006-11-30
$ gpg --homedir ./test --edit-key foo@bar.com
Secret key is available.
pub  1024D/DA23A600  created: 2006-11-30  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/1C8F17DD  created: 2006-11-30  expires: never       usage: E
[ unknown] (1). Foo Bar <foo@bar.com>
[ unknown] (2)  Foo Bar <foo@bar.net>
[ unknown] (3)  Foo Bar <foo@bar.org>
Command> uid 2
pub  1024D/DA23A600  created: 2006-11-30  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/1C8F17DD  created: 2006-11-30  expires: never       usage: E
[ unknown] (1). Foo Bar <foo@bar.com>
[ unknown] (2)* Foo Bar <foo@bar.net>
[ unknown] (3)  Foo Bar <foo@bar.org>
Command> uid 1
pub  1024D/DA23A600  created: 2006-11-30  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/1C8F17DD  created: 2006-11-30  expires: never       usage: E
[ unknown] (1)* Foo Bar <foo@bar.com>
[ unknown] (2)* Foo Bar <foo@bar.net>
[ unknown] (3)  Foo Bar <foo@bar.org>
Command> deluid
Really remove this user ID? (y/N) y
pub  1024D/DA23A600  created: 2006-11-30  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/1C8F17DD  created: 2006-11-30  expires: never       usage: E
[ unknown] (1)  Foo Bar <foo@bar.org>
Command> save
$ gpg --homedir ./test --armor --export foo@bar.org
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)
mQGiBEVvaR8RBADBDFM51H1uLNQlMeRhASDAr5s+K60+J67S2wvuhRySydqYDLLc
...
KAIbDAAKCRD+RGcX2iOmAPS+AKCnyTqlxxtri3uVl0o77Cx/YdI5UQCeJjuX35e0
EemNxcAwR3x3fvpEBD4=
=WoWh
-----END PGP PUBLIC KEY BLOCK-----

this key will be (finally) signed by the robot.

so import the signed key and do the same for the other keys

$ vi signed.asc
$ gpg --import signed.asc
gpg: key DA23A600: "Foo Bar <foo@bar.org>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   3  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 3f, 0u
gpg: next trustdb check due at 2033-07-03
$ gpg --list-sigs foo@bar.org
pub   1024D/DA23A600 2006-11-30
uid                  Foo Bar <foo@bar.com>
sig 3        DA23A600 2006-12-01  Foo Bar <foo@bar.com>
uid                  Foo Bar <foo@bar.net>
sig 3        DA23A600 2006-12-01  Foo Bar <foo@bar.com>
uid                  Foo Bar <foo@bar.org>
sig 3        DA23A600 2006-12-01  Foo Bar <foo@bar.com>
sig     P    65D0FD58 2007-01-07  CA Cert Signing Authority (Root CA) <gpg@cacert.org>
sub   2048g/1C8F17DD 2006-11-30
sig          DA23A600 2006-11-30  Foo Bar <foo@bar.com>

and go for the next UID :) ... if you want a nice diagram of your signatures try:

$ sims -t1e1i1 | dot -Tpng > trust.png
$ display trust.png


PgpSigning (last edited 2021-07-30 19:31:54 by AlesKastner)