File: README

package info (click to toggle)
debian-keyring 2010.12.29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 55,964 kB
  • ctags: 26
  • sloc: sh: 390; perl: 201; makefile: 105
file content (229 lines) | stat: -rw-r--r-- 8,655 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
 
README for the debian-keyring package
=====================================


Introduction
------------

The Debian project wants developers to digitally sign the
announcements of their packages, to protect against forgeries.  The
Debian project maintains GPG (GNU Privacy Guard) keyrings with keys of
Debian developers.  This is the README for these keyrings.


Background: PGP and GPG
-----------------------

When this file was originally written, PGP (Pretty Good Privacy) was
the most widely used public key cryptography program.  Unfortunately,
it uses a patented algorithm (the symmetric IDEA cipher), making a
DFSG-free implementation impossible.  GPG (GNU Privacy Guard;
http://www.gnupg.org/) is a DFSG-free cryptography program which is
based on the same concepts as PGP, but which uses unencumbered
cryptographic algorithms.

Furthermore, cryptographical weaknesses being discovered in PGP's
algorithms deemed its keys as no longer trustable, so we strongly
encourage you to migrate to a strong (2048 bit or greater, current
standard is 4096, RSA-based) GPG key.

Over the years, all of our developer's keys have been migrated away
from PGP.

Getting debian-keyring.gpg
--------------------------

The current versions of debian-keyring.gpg is always available via
rsync from keyring.debian.org (module keyrings).

There is also a (possibly slightly out-of-date) version available on
your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as
the debian-keyring package.

The rsync area on keyring.debian.org is the canonical location for
keyrings and it is what the Debian installer program (dinstall) uses.
If your key is available from there, it will be seen by dinstall.  The
tarball and Debian package are provided for user convenience and are
not necessarily in sync with keyring.debian.org.

That file contains the keyrings, signed copy of keyring md5sums and
this README.  The keyring md5sums will be signed by the keyring-maint
team (currently, Jonathan McDowell and Gunnar Wolf).

Using the debian-keyring with gpg
---------------------------------

Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file:

keyring /usr/share/keyrings/debian-keyring.gpg

GPG cannot modify keys in these root-owned files.  In order to edit or
sign keys in the Debian keyring you will first need to import them to
your personal keyring.  If ~/.gnupg/gpg.conf lists the debian-keyring
files, keys already in the Debian keyring will not be imported to your
personal keyring.  You can use "gpg --no-options --import" to force
GPG to ignore gpg.conf and import keys to your personal keyring only.

It also possible to use public keyservers on the net directly.  This
requires that you have a working internet connection.
Add a line to your ~/.gnupg/gpg.conf[1] file such as:

keyserver subkeys.pgp.net

or

keyserver keyring.debian.org

Generate a key pair
-------------------

GPG is used for security, and security can be a bit tricky.
Please install the gnupg-doc package and read the GPG manual (located
in /usr/share/doc/gnupg-doc/GNU_Privacy_Handbook) before generating a
key pair. The actual generation is trivial. You must use at least
1024 bits.

The Debian project will only accept new key pairs if they are GPG
keys.

(It's a key pair, because GPG and PGP use public key cryptography.
One of the keys is private, one is public. This is all explained in
the GPG manual.)

You should also generate a revocation certificate, and store it in a safe
place in the case that you forget your pass phrase, or lose your key(s).

Exchange key signatures with other people
-----------------------------------------

If at all possible, meet other Debian developers in person and sign
each other's keys. Geographical and economical challenges often make
this impossible, but if you can do it, please do.  Signing keys means
verifying that the key and the username belong together. The
signatures can allow other people to trust the key. (This is the "web
of trust" stuff the GPG manual explains about.)

Also exchange key signatures with many other PGP/GPG users. It all
helps to expand and strengthen the PGP/GPG web of trust.

Do *NOT* sign other people's key unless you have met that person face
to face in real life and seen a good form of ID (e.g. passport,
driver's license), or in any other way you can be sure that the person
is who they say they are.


Getting your key into the debian keyring
----------------------------------------

If you are an old debian developer who hasn't uploaded your packages
for a long time, and your key is not in the keyring, send a mail to
keyring@rt.debian.org (making sure to include the words "Debian RT"
somewhere in the subject) explaining the situation, and including your
public key.

All new maintainers should apply at http://nm.debian.org/, and your
key(s) will be added to the keyring as part of the admission process.


Updating your key(s)
--------------------

There is a keyserver running on keyring.debian.org, for any updates of
existing keys please send them there, e.g:

  $ gpg --keyserver=keyring.debian.org --send-keys 0x0123ABCD

To add a new key or remove an existing ones, please send mail to
keyring@rt.debian.org making sure to include the words "Debian RT"
somewhere in the subject line.


What the keyrings are
---------------------

 o debian-keyring.gpg

    This is the canonical Debian Developers (DD) keyring.  Anyone who
    has a key in here is a Debian Developer.

 o debian-maintainers.gpg

   The keyring for Debian Maintainers (DM). Anyone who has a key in
   here is a Debian Maintainer.

 o debian-role-keys.gpg

    This is the keyring used to contain role account keys, such as
    "ftp-master" (it contains the key used to sign the Release files
    in the archive).

===

These keyrings are not part of the binary package but are available in
the source package or on keyring.debian.org.  It is very strongly
recommended that you do not use/trust keys in these keyrings for
verification purposes.

 o emeritus-keyring.{gpg,pgp}

    This is the keyring of emeritus developers; i.e. those who have
    resigned, retired, passed away or are otherwise inactive.

 o extra-keys.pgp

    This is extra keys used for verification purposes (usually of new
    Debian maintainers).  They don't go into the main keyring because
    PGP keys are deprecated and no new PGP keys are being added into
    the PGP keyring.

 o removed-keys.{pgp,gpg}

    These keys are that have been removed from the main keyrings for
    various reasons.  Keys in here could have been duplicates or
    compromised keys, etc.  These keyrings are not available in the
    debian-keyring package, only in the tar ball or via rsync.


Signing your GPG key with your PGP one
--------------------------------------

If you already have a PGP key, but only now made a GPG key, you must
sign your GPG key with your PGP one. This can be done as follows:

o If you have a version of gpg older than 1.0.3 (without RSA
  support), you will have to upgrade to a newer version which has RSA
  support included.  Additionally, you will also need the IDEA module
  (regardless of the GPG version in use).  If you are legally allowed to
  do so, you can download the ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz
  file and its signature ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig,
  read the instructions at the top of the file, compile it and use it as
  a plugin for GnuPG.

o Find your GPG and PGP key ID's using gpg --list-keys, and pgp -kv
  Read the gpg and pgp documentation for more information.

o Sign your GPG key with your PGP key:
        gpg --load-extension idea \
            --secret-keyring ~/.pgp/secring.pgp \
            --keyring ~/.pgp/pubring.pgp \
            --keyring ~/.gnupg/pubring.gpg \
            --default-key 'Your PGP ID' --sign-key 'Your GPG ID'

Acknowledgements
----------------

This README was originally written by Lars Wirzenius, liw@iki.fi and
was over time maintained by James Troup <james@nocrew.org>. Currently
it is maintained by the keyring-maint team (Jonathan McDowell
<noodles@earth.li> and Gunnar Wolf <gwolf@debian.org>).  Contributions by
J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl>, Igor Grobman
<igor@debian.org>, Darren Stalder <torin@daft.com>, Norbert Veber
<nveber@primusolutions.net> and Martin Michlmayr <tbm@cyrius.com>.

Many thanks to Brendan O'Dea <bod@debian.org> who setup and wrote
support scripts for the keyserver on keyring.debian.org.

================================================================================

[1] In Woody-era versions of gnupg (<< 1.2) the options file was
    called ~/.gnupg/options.