README for the debian-keyring package ===================================== Introduction ------------ The Debian project wants developers to digitally sign the announcements of their packages, to protect against forgeries. The Debian project maintains GPG (GNU Privacy Guard) and PGP keyrings with keys of Debian developers. This is the README for these keyrings. Background: PGP and GPG ----------------------- PGP (Pretty Good Privacy) is currently the most widely used public key cryptography program. Unfortunately, it uses patented algorithms (the RSA algorithm (asymmetric) and the IDEA algorithm (symmetric)), making a DFSG-free implementation impossible. GPG (GNU Privacy Guard; http://www.gnupg.org/) is a DFSG-free cryptography program which is based on the same concepts as PGP, but which uses unencumbered cryptographic algorithms. Getting debian-keyring.{gpg,pgp} -------------------------------- The current versions of debian-keyring.pgp and debian-keyring.gpg are always available via rsync from keyring.debian.org (module keyrings). There is also a (possibly slightly out-of-date) version available on your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as the debian-keyring package. The rsync area on keyring.debian.org is the canonical location for keyrings and it is what the Debian installer program (dinstall) uses. If your key is available from there, it will be seen by dinstall. The tarball and Debian package are provided for user convenience and are not necessarily in sync with keyring.debian.org. That file contains the keyrings, signed copy of keyring md5sums and this README. The keyring md5sums will be signed by James Troup. Using the debian-keyring with gpg --------------------------------- Add these lines to the bottom of your ~/.gnupg/options file: keyring /usr/share/keyrings/debian-keyring.gpg keyring /usr/share/keyrings/debian-keyring.pgp NOTE: The RSA patent expired in September, 2000, and so GPG (as of version 1.0.3) has built-in support for RSA keys. If you are using an older version of GPG, you will also need the gpg-rsa package in order to be able to use debian-keyring.pgp. Alternately, you can use "gpg --import" or "pgp -ka" to add the keys in a keyring to your personal keyring. You will have to do this every time the keyrings are updated though, so the above method is usually preferred. It also possible to use public keyservers on the net directly. This requires that you have a working internet connection. Add a line to your ~/.gnupg/options file such as: keyserver wwwkeys.pgp.net or keyserver keyring.debian.org Generate a key pair ------------------- GPG and PGP are used for security, and security can be a bit tricky. Please read the PGP manual (in /usr/doc/pgp on Debian) before generating a key pair. The actual generation is trivial. You must use at least 1024 bits. The Debian project will only accept new key pairs if they are GPG keys. (It's a key pair, because GPG and PGP use public key cryptography. One of the keys is private, one is public. This is all explained in the PGP manuals.) You should also generate a revocation certificate, and store it in a safe place in the case that you forget your pass phrase, or lose your key(s). Exchange key signatures with other people ----------------------------------------- If at all possible, meet other Debian developers in person and sign each other's keys. Geographical and economical challenges often make this impossible, but if you can do it, please do. Signing keys means verifying that the key and the username belong together. The signatures can allow other people to trust the key. (This is the "web of trust" stuff the PGP manual explains about.) Also exchange key signatures with many other PGP/GPG users. It all helps to expand and strengthen the PGP/GPG web of trust. Do *NOT* sign other people's key unless you have met that person face to face in real life and seen a good form of ID (e.g. passport, driver's license) to ensure that the person is who they say they are. Getting your key into the debian keyring ---------------------------------------- If you are an old debian developer who hasn't uploaded your packages for a long time, and your key is not in the keyring, send a mail to keyring-maint@debian.org explaining the situation, and including your public PGP key. All new maintainers should apply to new-maintainer@debian.org, and your key(s) will be added to the keyring as part of the admission process. Updating your key(s) -------------------- There is a keyserver running on keyring.debian.org, for any updates of existing keys please send them there, e.g: $ gpg --keyserver=keyring.debian.org --send-keys 0x0123ABCD To add a new key or remove an existing ones, please send mail to keyring-maint@debian.org. What the keyrings are --------------------- o debian-keyring.{gpg,pgp} This is the canonical Debian keyring. Anyone who has a key in here is a Debian developer. o extra-keys.pgp This is extra keys used for verification purposes (usually of new Debian maintainers). They don't go into the main keyring because PGP keys are deprecated and no new PGP keys are being added into the PGP keyring. o removed-keys.{pgp,gpg} These keys are that have been removed from the main keyrings for various reasons. Keys in here could have been duplicates or keys belonging to developers who have left the project etc. These keyrings are not available in the debian-keyring package, only in the tar ball or via rsync. This keyring exists for two reasons only: 1) reference and 2) to make it easier to handle developers who rejoin Debian. It is very strongly recommended that you do not use/trust keys in this keyring for verification purposes. Signing your GPG key with your PGP one -------------------------------------- If you already have a PGP key, but only now made a GPG key, you must sign your GPG key with your PGP one. This can be done as follows: o If you have a version of gpg older than 1.0.3 (without RSA support) - get the gpg-rsa (or gpg-rsaref, if you live in the US) packages and install them. Newer versions of GPG have RSA support included, as the RSA patents expired on that date. You will also need the gpg-idea package regardless of the GPG version in use. o Find your GPG and PGP key ID's using gpg --list-keys, and pgp -kv Read the gpg and pgp documentation for more information. o Sign your GPG key with your PGP key: gpg --load-extension rsa --load-extension idea \ --secret-keyring ~/.pgp/secring.pgp \ --keyring ~/.pgp/pubring.pgp \ --keyring ~/.gnupg/pubring.gpg \ --default-key 'Your PGP ID' --sign-key 'Your GPG ID' If your version of GPG already has RSA included, you may omit the --load-extension rsa option. Acknowledgements ---------------- This README was originally written by Lars Wirzenius, liw@iki.fi. Now maintained by James Troup . Contributions by J.H.M. Dassen (Ray) , Igor Grobman , Darren Stalder and Norbert Veber . Many thanks to Brendan O'Dea who setup and wrote support scripts for the keyserver on keyring.debian.org.