diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 198 |
1 files changed, 198 insertions, 0 deletions
@@ -0,0 +1,198 @@ +README for the debian-keyring package +===================================== + + +Introduction +------------ + +The Debian project wants developers to digitally sign the +announcements of their packages, to protect against forgeries. The +Debian project maintains OpenPGP keyrings with keys of +Debian developers. This is the README for these keyrings. + + +Background: OpenPGP and GnuPG +----------------------------- + +OpenPGP is a cryptographic standard that defines certificate formats, +signature formats, and encryption formats. For debian, we rely +heavily on the signature formats, and we keep our developers' +credentials in OpenPGP certificate formats, aggregated into +"keyrings", which are just concatenated files of OpenPGP certificates. + +These keyrings have a suffix of .gpg, reflecting our use of GnuPG (the +GNU Privacy Guard), the most widely-used free software implementation +of OpenPGP. + +Some older OpenPGP implementations used cryptography that is now +considered weak, so we strongly encourage you to migrate to a strong +(2048 bit or greater, current standard is 4096, RSA-based) OpenPGP +key. + +Getting debian-keyring.gpg +-------------------------- + +The current version of debian-keyring.gpg is always available via +rsync from keyring.debian.org (module keyrings). + +There is also a (possibly slightly out-of-date) version available on +your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as +the debian-keyring package. + +The rsync area on keyring.debian.org is the canonical location for +keyrings and it is what the Debian installer program (dinstall) uses. +If your key is available from there, it will be seen by dinstall. The +tarball and Debian package are provided for user convenience and are +not necessarily in sync with keyring.debian.org. + +That file contains the keyrings, signed copy of keyring md5sums and +this README. The keyring md5sums will be signed by the keyring-maint +team (currently, Jonathan McDowell, Gunnar Wolf, and Daniel Kahn +Gillmor). + +Using the debian-keyring with gpg +--------------------------------- + +Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file: + +keyring /usr/share/keyrings/debian-keyring.gpg + +GPG cannot modify keys in these root-owned files. In order to edit or +sign keys in the Debian keyring you will first need to import them to +your personal keyring. If ~/.gnupg/gpg.conf lists the debian-keyring +files, keys already in the Debian keyring will not be imported to your +personal keyring. You can use "gpg --no-options --import" to force +GPG to ignore gpg.conf and import keys to your personal keyring only. + +It is also possible to use public keyservers on the net directly. This +requires that you have a working internet connection. +Add a line to your ~/.gnupg/gpg.conf[1] file such as: + +keyserver pool.sks-keyservers.net + +or + +keyserver keyring.debian.org + +Generate a key pair +------------------- + +GPG is used for security, and security can be a bit tricky. You might +find the guide at: + +https://keyring.debian.org/creating-key.html + +helpful. + +Your OpenPGP key should have an encryption-capable subkey as well; otherwise +DSA will not be able to email you your account password. + +You should also generate a revocation certificate, and store it in a +safe place in the case that you forget your pass phrase, or lose your +key(s). GnuPG 2.1 or later automatically generates revocation +certificates and stores them in ~/.gnupg/openpgp-revocs.d/ -- please +back them up safely! + +Exchange key signatures with other people +----------------------------------------- + +If at all possible, meet other Debian developers in person, verify +their fingerprints, and certify each other's keys. Geographical and +economical challenges often make this impossible, but if you can do +it, please do. Signing keys means verifying that the key and the +username belong together. The signatures allow other people to know +that the key belongs to the person it says it belongs to. (This is the +"web of trust" stuff the GPG manual explains about.) + +Also exchange key signatures with many other OpenPGP users. It all +helps to expand and strengthen the OpenPGP web of trust. + +Do *NOT* certify other people's key unless you have met that person +face to face in real life and have verified that the person is who +they say they are. One common way people can verify identity is to +ask for a strong, unforgeable form of government-issued ID that they +know how to check (e.g. passport, driver's license). + + +Getting your key into the debian keyring +---------------------------------------- + +If you are an old debian developer who hasn't uploaded your packages +for a long time, and your key is not in the keyring, send a mail to +keyring@rt.debian.org (making sure to include the words "Debian RT" +somewhere in the subject) explaining the situation, and including your +public key. + +All new maintainers should apply at https://nm.debian.org/, and your +key(s) will be added to the keyring as part of the admission process. + + +Updating your key(s) +-------------------- + +There is a keyserver running on keyring.debian.org; for any updates of +existing keys please send them there, e.g: + + $ gpg --keyserver=keyring.debian.org --send-keys 0x00000123ABCD0000 + +To add a new key or remove an existing one, please send mail to +keyring@rt.debian.org making sure to include the words "Debian RT" +somewhere in the subject line. + + +What the keyrings are +--------------------- + + o debian-keyring.gpg + + This is the canonical Debian Developers (DD) keyring. Anyone who + has a key in here is an uploading Debian Developer. + + o debian-maintainers.gpg + + The keyring for Debian Maintainers (DM). Anyone who has a key in + here is a Debian Maintainer. + + o debian-nonupload.gpg + + This is the keyring for Debian Developers (nonuploading). Anyone + who has a key in here is a nonuploading Debian Developer. + + o debian-role-keys.gpg + + This is the keyring used to contain role account keys, such as + "ftp-master" (it contains the key used to sign the Release files + in the archive). + +=== + +These keyrings are not part of the binary package but are available in +the source package or on keyring.debian.org. It is very strongly +recommended that you do not use or rely on keys in these keyrings for +verification purposes. + + o emeritus-keyring.gpg + + This is the keyring of emeritus developers; i.e. those who have + resigned, retired, passed away or are otherwise inactive. + + +Acknowledgements +---------------- + +This README was originally written by Lars Wirzenius, liw@iki.fi and +was over time maintained by James Troup <james@nocrew.org>. Currently +it is maintained by the keyring-maint team (Jonathan McDowell +<noodles@earth.li>, Gunnar Wolf <gwolf@debian.org>, and Daniel Kahn +Gillmor <dkg@fifthhorseman.net>). Contributions by J.H.M. Dassen +(Ray) <jdassen@wi.LeidenUniv.nl>, Igor Grobman <igor@debian.org>, +Darren Stalder <torin@daft.com>, Norbert Veber +<nveber@primusolutions.net> and Martin Michlmayr <tbm@cyrius.com>. + +Many thanks to Brendan O'Dea <bod@debian.org> who set up and wrote +support scripts for the keyserver on keyring.debian.org. + +================================================================================ + +[1] In Woody-era versions of gnupg (<< 1.2) the options file was + called ~/.gnupg/options. |