The Debian Keyring is the keyring that contains those OpenPGP keys which belong to Debian Developers, those with unrestricted upload privileges to the Debian archives.
All work in Debian is performed by developers that can be identified. For those using Debian to be able to trust Debian, we feel it is important that our users can identify those that are working on the project and that development is as transparent as is possible.
When joining the Debian project, developers need to identify themselves by providing an OpenPGP key that is signed by at least two existing members of the project. Contributions to the Debian archive are cryptographically signed using the developer's OpenPGP key to protect against forgeries.
As the Debian Project has evolved, two other keyrings have been created to manage the keys for those members of the project that are "non-uploading", that is they do not have privileges to upload to the archives but are in every other way full members of the project, and those of Debian Maintainers, developers that are not yet members of the project but have been granted limited upload privileges.
These keyrings are maintained by the keyring-maint team.
Here there are a selected few options listed for obtaining keys from the Debian Keyrings. See the public key server homepage for more information on other methods of obtaining keys. The canonical means of obtaining keys, for the most up to date version of the keyrings, is to use rsync.
The public key server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:
rsync -az --progress keyring.debian.org::keyrings/keyrings/ .
Via the Debian Archive
The keyrings maintained by the keyring-maint team are packaged in Debian as debian-keyring. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.
Visit Debian package tracker for information about when the keyring package was updated. Using an update interval of about 5 or 6 weeks, you have an indicator when the next update is due.
The Web Key Directory protocol is supported for Debian developers who use an @debian.org e-mail address in one of the UIDs on their key.
gpg --locate-keys firstname.lastname@example.org
The public key server at keyring.debian.org provides simple HKP lookup and add requests for Debian developer public keys.
The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions:
# Fetch a key from the keyring $ gpg --keyserver keyring.debian.org --recv-key 0xkeyid # Push updates to a key already in the keyring $ gpg --keyserver keyring.debian.org --send-key 0xkeyid
Only keys in the Debian keyrings will be returned by this server and only pre-existing keys will be updated, although a copy of all updates will be forwarded to a keyserver network. The keyrings are also periodically updated from that network.
Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.
$ finger email@example.com
To limit the finger output to the OpenPGP key of <user>:
finger firstname.lastname@example.org | gpg --list-options show-keyring
Note the /key after the Debian account name. Replace --list-options show-keyring with --import for importing the key.