summaryrefslogtreecommitdiffstats
path: root/README
blob: e2f42c661e78bf9dd32a8ef4cda8488f1ff808a3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
README for the debian-keyring package
=====================================


Introduction
------------

The Debian project wants developers to digitally sign the
announcements of their packages, to protect against forgeries.  The
Debian project maintains OpenPGP keyrings with keys of
Debian developers.  This is the README for these keyrings.


Background: OpenPGP and GnuPG
-----------------------------

OpenPGP is a cryptographic standard that defines certificate formats,
signature formats, and encryption formats.  For debian, we rely
heavily on the signature formats, and we keep our developers'
credentials in OpenPGP certificate formats, aggregated into
"keyrings", which are just concatenated files of OpenPGP certificates.

These keyrings have a suffix of .gpg, reflecting our use of GnuPG (the
GNU Privacy Guard), the most widely-used free software implementation
of OpenPGP.

Some older OpenPGP implementations used cryptography that is now
considered weak, so we strongly encourage you to migrate to a strong
(2048 bit or greater, current standard is 4096, RSA-based) OpenPGP
key.

Getting debian-keyring.gpg
--------------------------

The current version of debian-keyring.gpg is always available via
rsync from keyring.debian.org (module keyrings).

There is also a (possibly slightly out-of-date) version available on
your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as
the debian-keyring package.

The rsync area on keyring.debian.org is the canonical location for
keyrings and it is what the Debian installer program (dinstall) uses.
If your key is available from there, it will be seen by dinstall.  The
tarball and Debian package are provided for user convenience and are
not necessarily in sync with keyring.debian.org.

That file contains the keyrings, signed copy of keyring md5sums and
this README.  The keyring md5sums will be signed by the keyring-maint
team (currently, Jonathan McDowell, Gunnar Wolf, and Daniel Kahn
Gillmor).

Using the debian-keyring with gpg
---------------------------------

Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file:

keyring /usr/share/keyrings/debian-keyring.gpg

GPG cannot modify keys in these root-owned files.  In order to edit or
sign keys in the Debian keyring you will first need to import them to
your personal keyring.  If ~/.gnupg/gpg.conf lists the debian-keyring
files, keys already in the Debian keyring will not be imported to your
personal keyring.  You can use "gpg --no-options --import" to force
GPG to ignore gpg.conf and import keys to your personal keyring only.

It is also possible to use public keyservers on the net directly.  This
requires that you have a working internet connection.
Add a line to your ~/.gnupg/gpg.conf[1] file such as:

keyserver pool.sks-keyservers.net

or

keyserver keyring.debian.org

Generate a key pair
-------------------

GPG is used for security, and security can be a bit tricky. You might
find the guide at:

https://keyring.debian.org/creating-key.html

helpful.

Your OpenPGP key should have an encryption-capable subkey as well; otherwise
DSA will not be able to email you your account password.

You should also generate a revocation certificate, and store it in a
safe place in the case that you forget your pass phrase, or lose your
key(s).  GnuPG 2.1 or later automatically generates revocation
certificates and stores them in ~/.gnupg/openpgp-revocs.d/ -- please
back them up safely!

Exchange key signatures with other people
-----------------------------------------

If at all possible, meet other Debian developers in person, verify
their fingerprints, and certify each other's keys.  Geographical and
economical challenges often make this impossible, but if you can do
it, please do.  Signing keys means verifying that the key and the
username belong together. The signatures allow other people to know
that the key belongs to the person it says it belongs to. (This is the
"web of trust" stuff the GPG manual explains about.)

Also exchange key signatures with many other OpenPGP users. It all
helps to expand and strengthen the OpenPGP web of trust.

Do *NOT* certify other people's key unless you have met that person
face to face in real life and have verified that the person is who
they say they are.  One common way people can verify identity is to
ask for a strong, unforgeable form of government-issued ID that they
know how to check (e.g. passport, driver's license).


Getting your key into the debian keyring
----------------------------------------

If you are an old debian developer who hasn't uploaded your packages
for a long time, and your key is not in the keyring, send a mail to
keyring@rt.debian.org (making sure to include the words "Debian RT"
somewhere in the subject) explaining the situation, and including your
public key.

All new maintainers should apply at https://nm.debian.org/, and your
key(s) will be added to the keyring as part of the admission process.


Updating your key(s)
--------------------

There is a keyserver running on keyring.debian.org; for any updates of
existing keys please send them there, e.g:

  $ gpg --keyserver=keyring.debian.org --send-keys 0x00000123ABCD0000

To add a new key or remove an existing one, please send mail to
keyring@rt.debian.org making sure to include the words "Debian RT"
somewhere in the subject line.


What the keyrings are
---------------------

 o debian-keyring.gpg

    This is the canonical Debian Developers (DD) keyring.  Anyone who
    has a key in here is an uploading Debian Developer.

 o debian-maintainers.gpg

   The keyring for Debian Maintainers (DM). Anyone who has a key in
   here is a Debian Maintainer.

 o debian-nonupload.gpg

   This is the keyring for Debian Developers (nonuploading). Anyone
   who has a key in here is a nonuploading Debian Developer.

 o debian-role-keys.gpg

    This is the keyring used to contain role account keys, such as
    "ftp-master" (it contains the key used to sign the Release files
    in the archive).

===

These keyrings are not part of the binary package but are available in
the source package or on keyring.debian.org.  It is very strongly
recommended that you do not use or rely on keys in these keyrings for
verification purposes.

 o emeritus-keyring.gpg

    This is the keyring of emeritus developers; i.e. those who have
    resigned, retired, passed away or are otherwise inactive.


Acknowledgements
----------------

This README was originally written by Lars Wirzenius, liw@iki.fi and
was over time maintained by James Troup <james@nocrew.org>. Currently
it is maintained by the keyring-maint team (Jonathan McDowell
<noodles@earth.li>, Gunnar Wolf <gwolf@debian.org>, and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>).  Contributions by J.H.M. Dassen
(Ray) <jdassen@wi.LeidenUniv.nl>, Igor Grobman <igor@debian.org>,
Darren Stalder <torin@daft.com>, Norbert Veber
<nveber@primusolutions.net> and Martin Michlmayr <tbm@cyrius.com>.

Many thanks to Brendan O'Dea <bod@debian.org> who set up and wrote
support scripts for the keyserver on keyring.debian.org.

================================================================================

[1] In Woody-era versions of gnupg (<< 1.2) the options file was
    called ~/.gnupg/options.