1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229
|
README for the debian-keyring package
=====================================
Introduction
------------
The Debian project wants developers to digitally sign the
announcements of their packages, to protect against forgeries. The
Debian project maintains GPG (GNU Privacy Guard) keyrings with keys of
Debian developers. This is the README for these keyrings.
Background: PGP and GPG
-----------------------
When this file was originally written, PGP (Pretty Good Privacy) was
the most widely used public key cryptography program. Unfortunately,
it uses a patented algorithm (the symmetric IDEA cipher), making a
DFSG-free implementation impossible. GPG (GNU Privacy Guard;
http://www.gnupg.org/) is a DFSG-free cryptography program which is
based on the same concepts as PGP, but which uses unencumbered
cryptographic algorithms.
Furthermore, cryptographical weaknesses being discovered in PGP's
algorithms deemed its keys as no longer trustable, so we strongly
encourage you to migrate to a strong (2048 bit or greater, current
standard is 4096, RSA-based) GPG key.
Over the years, all of our developer's keys have been migrated away
from PGP.
Getting debian-keyring.gpg
--------------------------
The current versions of debian-keyring.gpg is always available via
rsync from keyring.debian.org (module keyrings).
There is also a (possibly slightly out-of-date) version available on
your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as
the debian-keyring package.
The rsync area on keyring.debian.org is the canonical location for
keyrings and it is what the Debian installer program (dinstall) uses.
If your key is available from there, it will be seen by dinstall. The
tarball and Debian package are provided for user convenience and are
not necessarily in sync with keyring.debian.org.
That file contains the keyrings, signed copy of keyring md5sums and
this README. The keyring md5sums will be signed by the keyring-maint
team (currently, Jonathan McDowell and Gunnar Wolf).
Using the debian-keyring with gpg
---------------------------------
Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file:
keyring /usr/share/keyrings/debian-keyring.gpg
GPG cannot modify keys in these root-owned files. In order to edit or
sign keys in the Debian keyring you will first need to import them to
your personal keyring. If ~/.gnupg/gpg.conf lists the debian-keyring
files, keys already in the Debian keyring will not be imported to your
personal keyring. You can use "gpg --no-options --import" to force
GPG to ignore gpg.conf and import keys to your personal keyring only.
It also possible to use public keyservers on the net directly. This
requires that you have a working internet connection.
Add a line to your ~/.gnupg/gpg.conf[1] file such as:
keyserver subkeys.pgp.net
or
keyserver keyring.debian.org
Generate a key pair
-------------------
GPG is used for security, and security can be a bit tricky.
Please install the gnupg-doc package and read the GPG manual (located
in /usr/share/doc/gnupg-doc/GNU_Privacy_Handbook) before generating a
key pair. The actual generation is trivial. You must use at least
1024 bits.
The Debian project will only accept new key pairs if they are GPG
keys.
(It's a key pair, because GPG and PGP use public key cryptography.
One of the keys is private, one is public. This is all explained in
the GPG manual.)
You should also generate a revocation certificate, and store it in a safe
place in the case that you forget your pass phrase, or lose your key(s).
Exchange key signatures with other people
-----------------------------------------
If at all possible, meet other Debian developers in person and sign
each other's keys. Geographical and economical challenges often make
this impossible, but if you can do it, please do. Signing keys means
verifying that the key and the username belong together. The
signatures can allow other people to trust the key. (This is the "web
of trust" stuff the GPG manual explains about.)
Also exchange key signatures with many other PGP/GPG users. It all
helps to expand and strengthen the PGP/GPG web of trust.
Do *NOT* sign other people's key unless you have met that person face
to face in real life and seen a good form of ID (e.g. passport,
driver's license), or in any other way you can be sure that the person
is who they say they are.
Getting your key into the debian keyring
----------------------------------------
If you are an old debian developer who hasn't uploaded your packages
for a long time, and your key is not in the keyring, send a mail to
keyring@rt.debian.org (making sure to include the words "Debian RT"
somewhere in the subject) explaining the situation, and including your
public key.
All new maintainers should apply at http://nm.debian.org/, and your
key(s) will be added to the keyring as part of the admission process.
Updating your key(s)
--------------------
There is a keyserver running on keyring.debian.org, for any updates of
existing keys please send them there, e.g:
$ gpg --keyserver=keyring.debian.org --send-keys 0x0123ABCD
To add a new key or remove an existing ones, please send mail to
keyring@rt.debian.org making sure to include the words "Debian RT"
somewhere in the subject line.
What the keyrings are
---------------------
o debian-keyring.gpg
This is the canonical Debian Developers (DD) keyring. Anyone who
has a key in here is a Debian Developer.
o debian-maintainers.gpg
The keyring for Debian Maintainers (DM). Anyone who has a key in
here is a Debian Maintainer.
o debian-role-keys.gpg
This is the keyring used to contain role account keys, such as
"ftp-master" (it contains the key used to sign the Release files
in the archive).
===
These keyrings are not part of the binary package but are available in
the source package or on keyring.debian.org. It is very strongly
recommended that you do not use/trust keys in these keyrings for
verification purposes.
o emeritus-keyring.{gpg,pgp}
This is the keyring of emeritus developers; i.e. those who have
resigned, retired, passed away or are otherwise inactive.
o extra-keys.pgp
This is extra keys used for verification purposes (usually of new
Debian maintainers). They don't go into the main keyring because
PGP keys are deprecated and no new PGP keys are being added into
the PGP keyring.
o removed-keys.{pgp,gpg}
These keys are that have been removed from the main keyrings for
various reasons. Keys in here could have been duplicates or
compromised keys, etc. These keyrings are not available in the
debian-keyring package, only in the tar ball or via rsync.
Signing your GPG key with your PGP one
--------------------------------------
If you already have a PGP key, but only now made a GPG key, you must
sign your GPG key with your PGP one. This can be done as follows:
o If you have a version of gpg older than 1.0.3 (without RSA
support), you will have to upgrade to a newer version which has RSA
support included. Additionally, you will also need the IDEA module
(regardless of the GPG version in use). If you are legally allowed to
do so, you can download the ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz
file and its signature ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig,
read the instructions at the top of the file, compile it and use it as
a plugin for GnuPG.
o Find your GPG and PGP key ID's using gpg --list-keys, and pgp -kv
Read the gpg and pgp documentation for more information.
o Sign your GPG key with your PGP key:
gpg --load-extension idea \
--secret-keyring ~/.pgp/secring.pgp \
--keyring ~/.pgp/pubring.pgp \
--keyring ~/.gnupg/pubring.gpg \
--default-key 'Your PGP ID' --sign-key 'Your GPG ID'
Acknowledgements
----------------
This README was originally written by Lars Wirzenius, liw@iki.fi and
was over time maintained by James Troup <james@nocrew.org>. Currently
it is maintained by the keyring-maint team (Jonathan McDowell
<noodles@earth.li> and Gunnar Wolf <gwolf@debian.org>). Contributions by
J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl>, Igor Grobman
<igor@debian.org>, Darren Stalder <torin@daft.com>, Norbert Veber
<nveber@primusolutions.net> and Martin Michlmayr <tbm@cyrius.com>.
Many thanks to Brendan O'Dea <bod@debian.org> who setup and wrote
support scripts for the keyserver on keyring.debian.org.
================================================================================
[1] In Woody-era versions of gnupg (<< 1.2) the options file was
called ~/.gnupg/options.
|