00mjk / debian-keyring Goto Github PK

README for the debian-keyring package
=====================================


Introduction
------------

The Debian project wants developers to digitally sign the
announcements of their packages, to protect against forgeries.  The
Debian project maintains OpenPGP keyrings with keys of
Debian developers.  This is the README for these keyrings.


Background: OpenPGP and GnuPG
-----------------------------

OpenPGP is a cryptographic standard that defines certificate formats,
signature formats, and encryption formats.  For debian, we rely
heavily on the signature formats, and we keep our developers'
credentials in OpenPGP certificate formats, aggregated into
"keyrings", which are just concatenated files of OpenPGP certificates.

These keyrings have a suffix of .gpg, reflecting our use of GnuPG (the
GNU Privacy Guard), the most widely-used free software implementation
of OpenPGP.

Some older OpenPGP implementations used cryptography that is now
considered weak, so we strongly encourage you to migrate to a strong
(2048 bit or greater, current standard is 4096, RSA-based) OpenPGP
key.

Getting debian-keyring.gpg
--------------------------

The current version of debian-keyring.gpg is always available via
rsync from keyring.debian.org (module keyrings).

There is also a (possibly slightly out-of-date) version available on
your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as
the debian-keyring package.

The rsync area on keyring.debian.org is the canonical location for
keyrings and it is what the Debian installer program (dinstall) uses.
If your key is available from there, it will be seen by dinstall.  The
tarball and Debian package are provided for user convenience and are
not necessarily in sync with keyring.debian.org.

That file contains the keyrings, signed copy of keyring md5sums and
this README.  The keyring md5sums will be signed by the keyring-maint
team (currently, Jonathan McDowell, Gunnar Wolf, and Daniel Kahn
Gillmor).

Using the debian-keyring with gpg
---------------------------------

Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file:

keyring /usr/share/keyrings/debian-keyring.gpg

GPG cannot modify keys in these root-owned files.  In order to edit or
sign keys in the Debian keyring you will first need to import them to
your personal keyring.  If ~/.gnupg/gpg.conf lists the debian-keyring
files, keys already in the Debian keyring will not be imported to your
personal keyring.  You can use "gpg --no-options --import" to force
GPG to ignore gpg.conf and import keys to your personal keyring only.

It is also possible to use public keyservers on the net directly.  This
requires that you have a working internet connection.
Add a line to your ~/.gnupg/gpg.conf[1] file such as:

keyserver pool.sks-keyservers.net

or

keyserver keyring.debian.org

Generate a key pair
-------------------

GPG is used for security, and security can be a bit tricky.
Please install the gnupg-doc package and read the GPG manual (located
in /usr/share/doc/gnupg-doc/GNU_Privacy_Handbook) before generating a
key pair. The actual generation is trivial. You must use at least
2048 bits, but 4096 bit RSA keys are recommended.

The Debian project will only accept new keys if they are OpenPGP keys.

For widest use within the project, your OpenPGP key should have an
encryption-capable subkey as well.

You should also generate a revocation certificate, and store it in a
safe place in the case that you forget your pass phrase, or lose your
key(s).  GnuPG 2.1 or later automatically generates revocation
certificates and stores them in ~/.gnupg/openpgp-revocs.d/ -- please
back them up safely!

Exchange key signatures with other people
-----------------------------------------

If at all possible, meet other Debian developers in person, verify
their fingerprints, and certify each other's keys.  Geographical and
economical challenges often make this impossible, but if you can do
it, please do.  Signing keys means verifying that the key and the
username belong together. The signatures allow other people to know
that the key belongs to the person it says it belongs to. (This is the
"web of trust" stuff the GPG manual explains about.)

Also exchange key signatures with many other OpenPGP users. It all
helps to expand and strengthen the OpenPGP web of trust.

Do *NOT* certify other people's key unless you have met that person
face to face in real life and have verified that the person is who
they say they are.  One common way people can verify identity is to
ask for a strong, unforgeable form of government-issued ID that they
know how to check (e.g. passport, driver's license).


Getting your key into the debian keyring
----------------------------------------

If you are an old debian developer who hasn't uploaded your packages
for a long time, and your key is not in the keyring, send a mail to
[email protected] (making sure to include the words "Debian RT"
somewhere in the subject) explaining the situation, and including your
public key.

All new maintainers should apply at https://nm.debian.org/, and your
key(s) will be added to the keyring as part of the admission process.


Updating your key(s)
--------------------

There is a keyserver running on keyring.debian.org; for any updates of
existing keys please send them there, e.g:

  $ gpg --keyserver=keyring.debian.org --send-keys 0x00000123ABCD0000

To add a new key or remove an existing one, please send mail to
[email protected] making sure to include the words "Debian RT"
somewhere in the subject line.


What the keyrings are
---------------------

 o debian-keyring.gpg

    This is the canonical Debian Developers (DD) keyring.  Anyone who
    has a key in here is an uploading Debian Developer.

 o debian-maintainers.gpg

   The keyring for Debian Maintainers (DM). Anyone who has a key in
   here is a Debian Maintainer.

 o debian-nonupload.gpg

   This is the keyring for Debian Developers (nonuploading). Anyone
   who has a key in here is a nonuploading Debian Developer.

 o debian-role-keys.gpg

    This is the keyring used to contain role account keys, such as
    "ftp-master" (it contains the key used to sign the Release files
    in the archive).

===

These keyrings are not part of the binary package but are available in
the source package or on keyring.debian.org.  It is very strongly
recommended that you do not use or rely on keys in these keyrings for
verification purposes.

 o emeritus-keyring.gpg

    This is the keyring of emeritus developers; i.e. those who have
    resigned, retired, passed away or are otherwise inactive.


Acknowledgements
----------------

This README was originally written by Lars Wirzenius, [email protected] and
was over time maintained by James Troup <[email protected]>. Currently
it is maintained by the keyring-maint team (Jonathan McDowell
<[email protected]>, Gunnar Wolf <[email protected]>, and Daniel Kahn
Gillmor <[email protected]>).  Contributions by J.H.M. Dassen
(Ray) <[email protected]>, Igor Grobman <[email protected]>,
Darren Stalder <[email protected]>, Norbert Veber
<[email protected]> and Martin Michlmayr <[email protected]>.

Many thanks to Brendan O'Dea <[email protected]> who set up and wrote
support scripts for the keyserver on keyring.debian.org.

================================================================================

[1] In Woody-era versions of gnupg (<< 1.2) the options file was
    called ~/.gnupg/options.