Use OpenPGP instead of gpg when referring to keys
← Revision 10 as of 2021-05-04 03:33:59
|Deletions are marked like this.||Additions are marked like this.|
|Line 36:||Line 36:|
|== Via WKD ==
The [[https://wiki.gnupg.org/WKD|Web Key Directory]] protocol is supported for Debian developers who use an @debian.org e-mail address in one of the UIDs on their key.
gpg --locate-keys firstname.lastname@example.org
|Line 56:||Line 64:|
|Debian keys may also be retrieved by using the web form at [[https://db.debian.org/|db.debian.org]] or by using finger (from the [[DebianPkg:finger]] package):||Debian keys may also be retrieved by using the web form at [[https://db.debian.org/|db.debian.org]] or by using DebianMan:finger (from the [[DebianPkg:finger]] package):|
|Line 63:||Line 71:|
|Line 66:||Line 75:|
|Line 68:||Line 78:|
|Line 69:||Line 80:|
The Debian Keyring is the keyring that contains those OpenPGP keys which belong to Debian Developers, those with unrestricted upload privileges to the Debian archives.
All work in Debian is performed by developers that can be identified. For those using Debian to be able to trust Debian, we feel it is important that our users can identify those that are working on the project and that development is as transparent as is possible.
When joining the Debian project, developers need to identify themselves by providing an OpenPGP key that is signed by at least two existing members of the project. Contributions to the Debian archive are cryptographically signed using the developer's OpenPGP key to protect against forgeries.
As the Debian Project has evolved, two other keyrings have been created to manage the keys for those members of the project that are "non-uploading", that is they do not have privileges to upload to the archives but are in every other way full members of the project, and those of Debian Maintainers, developers that are not yet members of the project but have been granted limited upload privileges.
These keyrings are maintained by the keyring-maint team.
Here there are a selected few options listed for obtaining keys from the Debian Keyrings. See the public key server homepage for more information on other methods of obtaining keys. The canonical means of obtaining keys, for the most up to date version of the keyrings, is to use rsync.
The public key server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:
rsync -az --progress keyring.debian.org::keyrings/keyrings/ .
Via the Debian Archive
The keyrings maintained by the keyring-maint team are packaged in Debian as debian-keyring. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.
Visit Debian package tracker for information about when the keyring package was updated. Using an update interval of about 5 or 6 weeks, you have an indicator when the next update is due.
The Web Key Directory protocol is supported for Debian developers who use an @debian.org e-mail address in one of the UIDs on their key.
gpg --locate-keys email@example.com
The public key server at keyring.debian.org provides simple HKP lookup and add requests for Debian developer public keys.
The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions:
# Fetch a key from the keyring $ gpg --keyserver keyring.debian.org --recv-key 0xkeyid # Push updates to a key already in the keyring $ gpg --keyserver keyring.debian.org --send-key 0xkeyid
Only keys in the Debian keyrings will be returned by this server and only pre-existing keys will be updated, although a copy of all updates will be forwarded to a keyserver network. The keyrings are also periodically updated from that network.
Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.
$ finger firstname.lastname@example.org
To limit the finger output to the OpenPGP key of <user>:
finger email@example.com | gpg --list-options show-keyring
Note the /key after the Debian account name. Replace --list-options show-keyring with --import for importing the key.