So, a few developers have asked how I prefer to do key signing operation after
having exchanged fingerprint information and verified IDs in person (or
alternatively using a challenge response if the other dev does not have a
keyslip when meeting)

There are automated tools that can help out with the administration
afterwards, however they are mostly based on some assumption that I don't
like, mainly they want a local MTA which implies online computer. Since I do
all keysigning on an airgapped computer, it is often easier to just do it
manually than to set up the loopback of the emails being stored in a maildir
that I can copy to a dumpsite for sending later.

So what I do myself, after having downloaded the key from keyservers using
`gpg --recv-key FINGERPRINT`, is exporting the keyblock (non-armored) for each UID I
want to sign of the recipient's key, like `gpg --export "FINGERPRINT" >
user01.gpg ; cp user01.gpg user02.gpg` , in case I want to sign userID 1 and
2 for that user. This allows me to sign each UID separately which I use later
on as I send an encrypted email to each UID in order to have assurance that
they actually control the email address in question, given that I don't verify
that directly when exchanging fingerprints.

I can sign this using `gpg --no-default-keyring --keyring ../own.gpg --keyring
./john02.gpg --edit-key john`, where own.gpg has a copy of my own public
keyblock in order to calculate keygrip for secret key access. Obviously the
fingerprint and preferably the algorithm type and creation time should also be
verified vs the keyslip at this point (do I need to mention that you should be
certain the key slip was the one exchanged?) 

I can then export in armored format to prepare for sending email as `for x in
*.gpg; do gpg --no-options --no-default-keyring --keyring ./$x --armor
--export > ../out/$x.asc; done;` and copy the asc files from the "out"
directory on the airgapped system.

I then send an encrypted email for each UID to the recipient, with a slight
greeting re event in question. And leave it to them to upload to keyserver to
verify having received the signed keyblock - do NOT upload their key to
keyservers directly as this does not offer the same protection

Now, the consequence of last paragraph is naturally that when receiving
signatures you need to import it into your own keyring and upload it to
keyserver using gpg --send-key FINGERPRINT , yourself.