Differences between revisions 9 and 10
Revision 9 as of 2021-05-04 03:33:36
Size: 4132
Editor: PaulWise
Comment: add WKD, cleanups
Revision 10 as of 2021-05-04 03:33:59
Size: 4130
Editor: PaulWise
Comment: typo
Deletions are marked like this. Additions are marked like this.
Line 36: Line 36:
=== Via WKD === == Via WKD ==

The Debian Keyring is the keyring that contains those OpenPGP keys which belong to Debian Developers, those with unrestricted upload privileges to the Debian archives.

Overview

All work in Debian is performed by developers that can be identified. For those using Debian to be able to trust Debian, we feel it is important that our users can identify those that are working on the project and that development is as transparent as is possible.

When joining the Debian project, developers need to identify themselves by providing an OpenPGP key that is signed by at least two existing members of the project. Contributions to the Debian archive are cryptographically signed using the developer's OpenPGP key to protect against forgeries.

As the Debian Project has evolved, two other keyrings have been created to manage the keys for those members of the project that are "non-uploading", that is they do not have privileges to upload to the archives but are in every other way full members of the project, and those of Debian Maintainers, developers that are not yet members of the project but have been granted limited upload privileges.

These keyrings are maintained by the keyring-maint team.

Obtaining Keys

Here there are a selected few options listed for obtaining keys from the Debian Keyrings. See the public key server homepage for more information on other methods of obtaining keys. The canonical means of obtaining keys, for the most up to date version of the keyrings, is to use rsync.

Via rsync

The public key server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:

rsync -az --progress keyring.debian.org::keyrings/keyrings/ .

Via the Debian Archive

The keyrings maintained by the keyring-maint team are packaged in Debian as debian-keyring. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.

Visit Debian package tracker for information about when the keyring package was updated. Using an update interval of about 5 or 6 weeks, you have an indicator when the next update is due.

Via WKD

The Web Key Directory protocol is supported for Debian developers who use an @debian.org e-mail address in one of the UIDs on their key.

gpg --locate-keys foo@debian.org

Via HKP

The public key server at keyring.debian.org provides simple HKP lookup and add requests for Debian developer public keys.

The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions:

# Fetch a key from the keyring
$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid

# Push updates to a key already in the keyring
$ gpg --keyserver keyring.debian.org --send-key 0xkeyid

Only keys in the Debian keyrings will be returned by this server and only pre-existing keys will be updated, although a copy of all updates will be forwarded to a keyserver network. The keyrings are also periodically updated from that network.

Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.

Via db.debian.org

Debian keys may also be retrieved by using the web form at db.debian.org or by using finger (from the finger package):

$ finger user@db.debian.org

To limit the finger output to the OpenPGP key of <user>:

finger user/key@db.debian.org | gpg --list-options show-keyring

Note the /key after the Debian account name. Replace --list-options show-keyring with --import for importing the key.


CategoryOpenPGP