README for the debian-keyring package ===================================== Introduction ------------ The Debian project wants developers to digitally sign the announcements of their packages, to protect against forgeries. The Debian project maintains OpenPGP keyrings with keys of Debian developers. This is the README for these keyrings. Background: OpenPGP and GnuPG ----------------------------- OpenPGP is a cryptographic standard that defines certificate formats, signature formats, and encryption formats. For debian, we rely heavily on the signature formats, and we keep our developers' credentials in OpenPGP certificate formats, aggregated into "keyrings", which are just concatenated files of OpenPGP certificates. These keyrings have a suffix of .gpg, reflecting our use of GnuPG (the GNU Privacy Guard), the most widely-used free software implementation of OpenPGP. Some older OpenPGP implementations used cryptography that is now considered weak, so we strongly encourage you to migrate to a strong (2048 bit or greater, current standard is 4096, RSA-based) OpenPGP key. Getting debian-keyring.gpg -------------------------- The current version of debian-keyring.gpg is always available via rsync from keyring.debian.org (module keyrings). There is also a (possibly slightly out-of-date) version available on your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as the debian-keyring package. The rsync area on keyring.debian.org is the canonical location for keyrings and it is what the Debian installer program (dinstall) uses. If your key is available from there, it will be seen by dinstall. The tarball and Debian package are provided for user convenience and are not necessarily in sync with keyring.debian.org. That file contains the keyrings, signed copy of keyring md5sums and this README. The keyring md5sums will be signed by the keyring-maint team (currently, Jonathan McDowell, Gunnar Wolf, and Daniel Kahn Gillmor). Using the debian-keyring with gpg --------------------------------- Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file: keyring /usr/share/keyrings/debian-keyring.gpg GPG cannot modify keys in these root-owned files. In order to edit or sign keys in the Debian keyring you will first need to import them to your personal keyring. If ~/.gnupg/gpg.conf lists the debian-keyring files, keys already in the Debian keyring will not be imported to your personal keyring. You can use "gpg --no-options --import" to force GPG to ignore gpg.conf and import keys to your personal keyring only. It is also possible to use public keyservers on the net directly. This requires that you have a working internet connection. Add a line to your ~/.gnupg/gpg.conf[1] file such as: keyserver pool.sks-keyservers.net or keyserver keyring.debian.org Generate a key pair ------------------- GPG is used for security, and security can be a bit tricky. You might find the guide at: https://keyring.debian.org/creating-key.html helpful. Your OpenPGP key should have an encryption-capable subkey as well; otherwise DSA will not be able to email you your account password. You should also generate a revocation certificate, and store it in a safe place in the case that you forget your pass phrase, or lose your key(s). GnuPG 2.1 or later automatically generates revocation certificates and stores them in ~/.gnupg/openpgp-revocs.d/ -- please back them up safely! Exchange key signatures with other people ----------------------------------------- If at all possible, meet other Debian developers in person, verify their fingerprints, and certify each other's keys. Geographical and economical challenges often make this impossible, but if you can do it, please do. Signing keys means verifying that the key and the username belong together. The signatures allow other people to know that the key belongs to the person it says it belongs to. (This is the "web of trust" stuff the GPG manual explains about.) Also exchange key signatures with many other OpenPGP users. It all helps to expand and strengthen the OpenPGP web of trust. Do *NOT* certify other people's key unless you have met that person face to face in real life and have verified that the person is who they say they are. One common way people can verify identity is to ask for a strong, unforgeable form of government-issued ID that they know how to check (e.g. passport, driver's license). Getting your key into the debian keyring ---------------------------------------- If you are an old debian developer who hasn't uploaded your packages for a long time, and your key is not in the keyring, send a mail to keyring@rt.debian.org (making sure to include the words "Debian RT" somewhere in the subject) explaining the situation, and including your public key. All new maintainers should apply at https://nm.debian.org/, and your key(s) will be added to the keyring as part of the admission process. Updating your key(s) -------------------- There is a keyserver running on keyring.debian.org; for any updates of existing keys please send them there, e.g: $ gpg --keyserver=keyring.debian.org --send-keys 0x00000123ABCD0000 To add a new key or remove an existing one, please send mail to keyring@rt.debian.org making sure to include the words "Debian RT" somewhere in the subject line. What the keyrings are --------------------- o debian-keyring.gpg This is the canonical Debian Developers (DD) keyring. Anyone who has a key in here is an uploading Debian Developer. o debian-maintainers.gpg The keyring for Debian Maintainers (DM). Anyone who has a key in here is a Debian Maintainer. o debian-nonupload.gpg This is the keyring for Debian Developers (nonuploading). Anyone who has a key in here is a nonuploading Debian Developer. o debian-role-keys.gpg This is the keyring used to contain role account keys, such as "ftp-master" (it contains the key used to sign the Release files in the archive). === These keyrings are not part of the binary package but are available in the source package or on keyring.debian.org. It is very strongly recommended that you do not use or rely on keys in these keyrings for verification purposes. o emeritus-keyring.gpg This is the keyring of emeritus developers; i.e. those who have resigned, retired, passed away or are otherwise inactive. Acknowledgements ---------------- This README was originally written by Lars Wirzenius, liw@iki.fi and was over time maintained by James Troup . Currently it is maintained by the keyring-maint team (Jonathan McDowell , Gunnar Wolf , and Daniel Kahn Gillmor ). Contributions by J.H.M. Dassen (Ray) , Igor Grobman , Darren Stalder , Norbert Veber and Martin Michlmayr . Many thanks to Brendan O'Dea who set up and wrote support scripts for the keyserver on keyring.debian.org. ================================================================================ [1] In Woody-era versions of gnupg (<< 1.2) the options file was called ~/.gnupg/options.