You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Micah Lee edited this page Feb 8, 2021
·
10 revisions
GPG Sync works like this:
The IT staff generates an "authority key". Then they create a keylist file include PGP fingerprints for all members of your organization, digitally sign this list with the authority key, and upload both the keylist and its signature to a website so that they're accessible from public URLs.
All members of your organization install GPG Sync on their computers and configure it with the authority key's fingerprint and the URL of your keylist. (Now, all of your members will automatically and regularly fetch this URL and then refresh all of the non-revoked keys on the list from a keyserver.)
When new keys in your organization are added, the IT staff adds them to the keylist, re-signs it with the authority key, and uploads the keylist and the signature to the same URLs. If users migrate to new keys, the IT leaves their old fingerprints on the list so that all other members can tell that their old keys were revoked.
Now each member of your organization will have up-to-date public keys for each other member, and key changes will be transitioned smoothly without any further work or interaction.