mirror of
https://salsa.debian.org/debian-keyring/keyring.git
synced 2026-01-11 20:06:35 +00:00
This is the public view of the Debian keyring tree. Please note that this is *not* the actual working tree, but it is pushed to every time the keyring maintainers push a new batch of key changes.
| cheatsheets | ||
| debian | ||
| debian-keyring-pgp | ||
| debian-maintainers-pgp | ||
| debian-nonupload-pgp | ||
| debian-role-keys-pgp | ||
| emeritus-keyring-pgp | ||
| output/keyrings | ||
| scripts | ||
| t | ||
| .gitignore | ||
| keyids | ||
| LICENSE | ||
| Makefile | ||
| README | ||
| runtests | ||
README for the debian-keyring package
=====================================
Introduction
------------
The Debian project wants developers to digitally sign the
announcements of their packages, to protect against forgeries. The
Debian project maintains OpenPGP keyrings with keys of
Debian developers. This is the README for these keyrings.
Background: OpenPGP
-------------------
OpenPGP is a cryptographic standard that defines certificate formats,
signature formats, and encryption formats. For debian, we rely
heavily on the signature formats, and we keep our developers'
credentials in OpenPGP certificate formats, aggregated into
"keyrings", which are just concatenated files of OpenPGP certificates.
These keyrings have a suffix of .pgp, reflecting our use of OpenPGP,
while for now we provide backward compatibility symlinks with a .gpg
suffix for historical reasons.
Some older OpenPGP implementations used cryptography that is now
considered weak, so we strongly encourage you to migrate to a strong
(2048 bit or greater, current standard is 4096, RSA-based) OpenPGP
key.
Getting debian-keyring.pgp
--------------------------
The current version of debian-keyring.pgp is always available via
rsync from keyring.debian.org (module keyrings).
There is also a (possibly slightly out-of-date) version available on
your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as
the debian-keyring package.
The rsync area on keyring.debian.org is the canonical location for
keyrings and it is what the Debian installer program (dinstall) uses.
If your key is available from there, it will be seen by dinstall. The
tarball and Debian package are provided for user convenience and are
not necessarily in sync with keyring.debian.org.
That file contains the keyrings, signed copy of keyring md5sums and
this README. The keyring md5sums will be signed by the keyring-maint
team (currently, Jonathan McDowell, Gunnar Wolf, and Daniel Kahn
Gillmor).
Using the debian-keyring with gpg
---------------------------------
Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file:
keyring /usr/share/keyrings/debian-keyring.pgp
GPG cannot modify keys in these root-owned files. In order to edit or
sign keys in the Debian keyring you will first need to import them to
your personal keyring. If ~/.gnupg/gpg.conf lists the debian-keyring
files, keys already in the Debian keyring will not be imported to your
personal keyring. You can use "gpg --no-options --import" to force
GPG to ignore gpg.conf and import keys to your personal keyring only.
It is also possible to use public keyservers on the net directly. This
requires that you have a working internet connection.
Add a line to your ~/.gnupg/gpg.conf[1] file such as:
keyserver pool.sks-keyservers.net
or
keyserver keyring.debian.org
Generate a key pair
-------------------
GPG is used for security, and security can be a bit tricky. You might
find the guide at:
https://keyring.debian.org/creating-key.html
helpful.
Your OpenPGP key should have an encryption-capable subkey as well; otherwise
DSA will not be able to email you your account password.
You should also generate a revocation certificate, and store it in a
safe place in the case that you forget your pass phrase, or lose your
key(s). GnuPG 2.1 or later automatically generates revocation
certificates and stores them in ~/.gnupg/openpgp-revocs.d/ -- please
back them up safely!
Exchange key signatures with other people
-----------------------------------------
If at all possible, meet other Debian developers in person, verify
their fingerprints, and certify each other's keys. Geographical and
economical challenges often make this impossible, but if you can do
it, please do. Signing keys means verifying that the key and the
username belong together. The signatures allow other people to know
that the key belongs to the person it says it belongs to. (This is the
"web of trust" stuff the GPG manual explains about.)
Also exchange key signatures with many other OpenPGP users. It all
helps to expand and strengthen the OpenPGP web of trust.
Do *NOT* certify other people's key unless you have met that person
face to face in real life and have verified that the person is who
they say they are. One common way people can verify identity is to
ask for a strong, unforgeable form of government-issued ID that they
know how to check (e.g. passport, driver's license).
Getting your key into the debian keyring
----------------------------------------
If you are an old debian developer who hasn't uploaded your packages
for a long time, and your key is not in the keyring, send a mail to
keyring@rt.debian.org (making sure to include the words "Debian RT"
somewhere in the subject) explaining the situation, and including your
public key.
All new maintainers should apply at https://nm.debian.org/, and your
key(s) will be added to the keyring as part of the admission process.
Updating your key(s)
--------------------
There is a keyserver running on keyring.debian.org; for any updates of
existing keys please send them there, e.g:
$ gpg --keyserver=keyring.debian.org --send-keys 0x00000123ABCD0000
To add a new key or remove an existing one, please send mail to
keyring@rt.debian.org making sure to include the words "Debian RT"
somewhere in the subject line.
What the keyrings are
---------------------
o debian-keyring.pgp
This is the canonical Debian Developers (DD) keyring. Anyone who
has a key in here is an uploading Debian Developer.
o debian-maintainers.pgp
The keyring for Debian Maintainers (DM). Anyone who has a key in
here is a Debian Maintainer.
o debian-nonupload.pgp
This is the keyring for Debian Developers (nonuploading). Anyone
who has a key in here is a nonuploading Debian Developer.
o debian-role-keys.pgp
This is the keyring used to contain role account keys, such as
"ftp-master" (it contains the key used to sign the Release files
in the archive).
===
These keyrings are not part of the binary package but are available in
the source package or on keyring.debian.org. It is very strongly
recommended that you do not use or rely on keys in these keyrings for
verification purposes.
o emeritus-keyring.pgp
This is the keyring of emeritus developers; i.e. those who have
resigned, retired, passed away or are otherwise inactive.
Acknowledgements
----------------
This README was originally written by Lars Wirzenius, liw@iki.fi and
was over time maintained by James Troup <james@nocrew.org>. Currently
it is maintained by the keyring-maint team (Jonathan McDowell
<noodles@earth.li>, Gunnar Wolf <gwolf@debian.org>, and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>). Contributions by J.H.M. Dassen
(Ray) <jdassen@wi.LeidenUniv.nl>, Igor Grobman <igor@debian.org>,
Darren Stalder <torin@daft.com>, Norbert Veber
<nveber@primusolutions.net> and Martin Michlmayr <tbm@cyrius.com>.
Many thanks to Brendan O'Dea <bod@debian.org> who set up and wrote
support scripts for the keyserver on keyring.debian.org.
================================================================================
[1] In Woody-era versions of gnupg (<< 1.2) the options file was
called ~/.gnupg/options.