If the user's account status changes, the Faculty administration will automatically inform the user by email. In particular, notifications are automatically sent out about account creation (or renewal), impending account cancellation or account (un)blocking. To increase the credibility of these messages, the Faculty Administration signs them with its PGP key. On this page we describe how users can install the Faculty Administration's public key into their GnuPG and PGP key databases.

• Public Key Availability
• Installation in GnuPG
• Installation in PGP

Notice

If you use PGP without a basic understanding of its mechanism, you will not increase the security or trustworthiness of your communications. On the contrary, you will expose your key to a high risk of misuse with all its consequences. It is safer not to use PGP at all than to use it badly. You can increase your knowledge of PGP, for example, by visiting the GnuPG project. You can also find much more information and links on the OpenPGP website.

Faculty Administration Public Key

The Faculty Administration public key is available at https://fadmin.fi.muni.cz/noauth/fadmin_key.pub. The key will be transmitted over a secure connection, which limits the possibility of it being spoofed if you already have a trusted Faculty Administration SSL certificate installed. The public key fingerprint is: 94A1 8BE2 DDB4 06CC 3D00 9DF9 E237 46F8 6D44 85C8You can also verify the fingerprint over a secure connection at https://fadmin.fi.muni.cz/noauth/fadmin_key.fpr You can also use an unsecured connection:
https://fadmin.fi.muni.cz/noauth/fadmin_key.pub
h ttps://fadmin.fi.muni.cz/noauth/fadmin_key.fpr

Installing the key in GnuPG

Download the public key to a local directory in the file fadmin_key.pub and perform the following sequence of commands. Add the Faculty Administration key to your public key database.

$ gpg --import fadmin_key.pub 
gpg: klíč 6D4485C8: veřejný klíč "Fakultní administrativa FI MU <fadmin@fi.muni.cz>" importován
gpg: Celkový počet zpracovaných klíčů: 1
gpg:               importováno: 1

$ gpg --edit-key fadmin

Příkaz> fpr
pub   1024D/6D4485C8 2003-06-24 Fakultní administrativa FI MU <fadmin@fi.muni.cz>
 Primární fingerprint klíče: 94A1 8BE2 DDB4 06CC 3D00  9DF9 E237 46F8 6D44 85C8

Příkaz> quit

Verify that the fingerprint of the key is the same as above. If it is not, the key is either fraudulent or has been corrupted in transit. In this case, delete it immediately:

$ gpg --delete-key fadmin

Smazat tento klíč ze souboru klíčů? (a/N) a

If the fingerprint is correct, the key is already installed and GnuPG will use it to verify signatures from the Faculty Administration. However, after each verification, it will probably issue a warning that the key is not trusted. The trustworthiness of PGP keys is based on the so-called Net of Trust. You can either mark it as trusted or sign it with another trusted key. Here is how you mark a key as trusted for your own use, but do not allow anyone else to consider the Faculty Administration key trusted based on your trust. First, you must mark the public key of your secret key as trusted.

$ gpg --edit-key vas_klic

Tajný klíč je dostupný.

Příkaz> trust

Prosím rozhodněte, nakolik důvěřujete tomuto uživateli, že správně
verifikuje klíče jiných uživatelů (prohlédnutím cestovních pasů,
kontrolou fingerprintů z různých zdrojů...)?


 1 = Nevím nebo neřeknu
 2 = Nedůvěřuji
 3 = Důvěřuji částečně
 4 = Důvěřuji úplně
 5 = Důvěřuji absolutně
 m = zpět do hlavního menu

Vaše rozhodnutí? 5
Opravdu chcete nastavit pro tento klíč absolutní důvěru? (a/N) a

Příkaz> quit

Now sign the Faculty Administration key locally (for your own use - not exportable) with your secret key.

$ gpg --edit-key fadmin

Příkaz> lsign
Opravdu podepsat všechny id uživatele? (a/N) a
Podpis bude označen jako neexportovatelný.
Skutečně podepsat? (a/N) a
Musíte znát heslo, abyste odemknul(a) tajný klíč:

Příkaz> quit
Uložit změny? (a/N) a

Based on this signature, the Faculty Administration key will be considered trusted.

Installing the key in PGP

The procedure is very similar to using GnuPG. Due to the wider possibilities, we additionally recommend using GnuPG instead of PGP. Therefore, we will shorten the description in this section by adding some explanations that can be found in the previous section. Download the public key to a local directory in the file fadmin_key.pub and add it to your public key database.

$ pgp -ka fadmin_key.pub
keyfile contains 1 new keys. Add these keys to keyring ? (Y/n) Y

$ pgp -kvc fadmin

Looking for user ID "fadmin".
Type bits      keyID      Date       User ID
DSS  1024/1024 0x6D4485C8 2003/06/24 Fakultní­ administrativa FI MU <fadmin@fi.muni.cz>
          Key fingerprint =  94 A1 8B E2 DD B4 06 CC  3D 00 9D F9 E2 37 46 F8  6D 44 85 C8
Fakultní administrativa FI MU <fadmin@fi.muni.cz>
1 matching key found.

Verify that the fingerprint written out is identical to the one above. If it is not, delete the key immediately.

$ pgp -kr fadmin
Do you want to remove the whole key (y/N)? y

If the fingerprint is correct, the key is already installed and PGP will use it. However, it will probably not consider it trusted and will warn you every time it is used. There is only one general way we know of to mark a key as trusted in PGP: sign it with your own key. Note: By signing a key, you are publicly stating your belief that the signed key actually belongs to the Faculty Administration - PGP does not allow you to sign a key locally only, so you may occasionally export this signature to a public keyserver. Only proceed to this step if you really know you are signing the correct key.

$ pgp -ks fadmin

READ CAREFULLY:  Based on your own direct first-hand knowledge, are
you absolutely certain that you are prepared to solemnly certify that
the above public key actually belongs to the user specified by the
above user ID (y/N)? y

You need a pass phrase to unlock your secret key.
Enter pass phrase: 

Passphrase is good

Attach a regular expression to this signature, or
press enter for none:       

Now the key is installed and PGP will consider it trusted.