Differences between revisions 1 and 10 (spanning 9 versions)
Revision 1 as of 2004-01-11 21:34:00
Size: 769
Editor: anonymous
Comment:
Revision 10 as of 2021-05-04 03:33:59
Size: 4130
Editor: PaulWise
Comment: typo
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## Auto-converted by kwiki2moinmoin v2005-10-07 The '''Debian Keyring''' is the keyring that contains those OpenPGP keys which belong to Debian Developers, those with unrestricted upload privileges to the Debian archives.
Line 3: Line 3:
keyring.debian.org <<TableOfContents()>>
Line 5: Line 5:
This public key server provides simple HKP lookup and add requests for Debian developer public keys. = Overview =
Line 7: Line 7:
The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions. All work in Debian is performed by developers that can be identified. For those using Debian to be able to trust Debian, we feel it is important that our users can identify those that are working on the project and that development is as transparent as is possible.

When joining the Debian project, developers need to identify themselves by providing an OpenPGP key that is signed by at least two existing members of the project. Contributions to the Debian archive are cryptographically signed using the developer's OpenPGP key to protect against forgeries.

As the Debian Project has evolved, two other keyrings have been created to manage the keys for those members of the project that are "non-uploading", that is they do not have privileges to upload to the archives but are in every other way full members of the project, and those of Debian Maintainers, developers that are not yet members of the project but have been granted limited upload privileges.

These keyrings are maintained by the [[Teams/KeyringMaint|keyring-maint]] team.

= Obtaining Keys =

Here there are a selected few options listed for obtaining keys from the Debian Keyrings. See the [[https://keyring.debian.org/|public key server homepage]] for more information on other methods of obtaining keys. The canonical means of obtaining keys, for the most up to date version of the keyrings, is to use rsync.

== Via rsync ==

The public key server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:

{{{
rsync -az --progress keyring.debian.org::keyrings/keyrings/ .
}}}

== Via the Debian Archive ==

The keyrings maintained by the keyring-maint team are packaged in Debian as [[DebianPkg:debian-keyring]]. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.

Visit [[https://tracker.debian.org/pkg/debian-keyring|Debian package tracker]]
for information about when the keyring package was updated.
Using an update interval of about 5 or 6 weeks,
you have an indicator when the next update is due.

== Via WKD ==

The [[https://wiki.gnupg.org/WKD|Web Key Directory]] protocol is supported for Debian developers who use an @debian.org e-mail address in one of the UIDs on their key.

{{{
gpg --locate-keys foo@debian.org
}}}

== Via HKP ==

The public key server at keyring.debian.org provides simple HKP lookup and add requests for Debian developer public keys.

The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions:

{{{
# Fetch a key from the keyring
$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid

# Push updates to a key already in the keyring
$ gpg --keyserver keyring.debian.org --send-key 0xkeyid
}}}
Line 11: Line 60:
Debian keys may also be retrieved by using the form at db.debian.org or:
finger user@db.debian.org
Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.
Line 14: Line 62:
Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms. == Via db.debian.org ==

Debian keys may also be retrieved by using the web form at [[https://db.debian.org/|db.debian.org]] or by using DebianMan:finger (from the [[DebianPkg:finger]] package):

{{{
$ finger user@db.debian.org
}}}

To limit the finger output to the OpenPGP key of <user>:

{{{
finger user/key@db.debian.org | gpg --list-options show-keyring
}}}

Note the `/key` after the Debian account name.
Replace `--list-options show-keyring` with `--import` for importing the key.

----

[[CategoryOpenPGP]]

The Debian Keyring is the keyring that contains those OpenPGP keys which belong to Debian Developers, those with unrestricted upload privileges to the Debian archives.

Overview

All work in Debian is performed by developers that can be identified. For those using Debian to be able to trust Debian, we feel it is important that our users can identify those that are working on the project and that development is as transparent as is possible.

When joining the Debian project, developers need to identify themselves by providing an OpenPGP key that is signed by at least two existing members of the project. Contributions to the Debian archive are cryptographically signed using the developer's OpenPGP key to protect against forgeries.

As the Debian Project has evolved, two other keyrings have been created to manage the keys for those members of the project that are "non-uploading", that is they do not have privileges to upload to the archives but are in every other way full members of the project, and those of Debian Maintainers, developers that are not yet members of the project but have been granted limited upload privileges.

These keyrings are maintained by the keyring-maint team.

Obtaining Keys

Here there are a selected few options listed for obtaining keys from the Debian Keyrings. See the public key server homepage for more information on other methods of obtaining keys. The canonical means of obtaining keys, for the most up to date version of the keyrings, is to use rsync.

Via rsync

The public key server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:

rsync -az --progress keyring.debian.org::keyrings/keyrings/ .

Via the Debian Archive

The keyrings maintained by the keyring-maint team are packaged in Debian as debian-keyring. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.

Visit Debian package tracker for information about when the keyring package was updated. Using an update interval of about 5 or 6 weeks, you have an indicator when the next update is due.

Via WKD

The Web Key Directory protocol is supported for Debian developers who use an @debian.org e-mail address in one of the UIDs on their key.

gpg --locate-keys foo@debian.org

Via HKP

The public key server at keyring.debian.org provides simple HKP lookup and add requests for Debian developer public keys.

The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions:

# Fetch a key from the keyring
$ gpg --keyserver keyring.debian.org --recv-key 0xkeyid

# Push updates to a key already in the keyring
$ gpg --keyserver keyring.debian.org --send-key 0xkeyid

Only keys in the Debian keyrings will be returned by this server and only pre-existing keys will be updated, although a copy of all updates will be forwarded to a keyserver network. The keyrings are also periodically updated from that network.

Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.

Via db.debian.org

Debian keys may also be retrieved by using the web form at db.debian.org or by using finger (from the finger package):

$ finger user@db.debian.org

To limit the finger output to the OpenPGP key of <user>:

finger user/key@db.debian.org | gpg --list-options show-keyring

Note the /key after the Debian account name. Replace --list-options show-keyring with --import for importing the key.


CategoryOpenPGP