I've been reading various tutorials about GPG, and many of them mention that keys may be signed by other people to verify their authenticity. Unfortunately, I have been unable to find information regarding exactly how this process works. How does one sign a key, and how is the signed key used (different from the previous key)?
Thank you.
EDIT: The Keysigning Party HOWTO has all of the information I wanted.
Exporting/Importing One by one:
A correspondent's key is validated by personally checking his key's fingerprint and then signing his public key with your private key. By personally checking the fingerprint you can be sure that the key really does belong to him, and since you have signed they key, you can be sure to detect any tampering with it in the future. Unfortunately, this procedure is awkward when either you must validate a large number of keys or communicate with people whom you do not know personally. GnuPG addresses this problem with a mechanism popularly known as > the web of trust.
By Web Of Trust:
In the web of trust model, responsibility for validating public keys is delegated to people you trust. For example, suppose
- Alice has signed Blake's key, and
- Blake has signed Chloe's key and Dharma's key.
If Alice trusts Blake to properly validate keys that he signs, then Alice can infer that Chloe's and Dharma's keys are valid without having to personally check them. She simply uses her validated copy of Blake's public key to check that Blake's signatures on Chloe's and Dharma's are good. In general, assuming that Alice fully trusts everybody to properly validate keys they sign, then any key signed by a valid key is also considered valid. The root is Alice's key, which is axiomatically assumed to be valid.
You sign a key using the command
gpg --sign-key <name>
For more information see this page. Look at the Signing public keys section.