README for the debian-keyring package
=====================================


Introduction
------------

The Debian project wants developers to digitally sign the
announcements of their packages, to protect against forgeries.  The
Debian project maintains GPG (GNU Privacy Guard) and PGP keyrings with
keys of Debian developers.  This is the README for these keyrings.


Background: PGP and GPG
-----------------------

PGP (Pretty Good Privacy) is currently the most widely used public key
cryptography program. Unfortunately, it uses patented algorithms (the
RSA algorithm (asymmetric) and the IDEA algorithm (symmetric)), making
a DFSG-free implementation impossible. GPG (GNU Privacy Guard;
http://www.gnupg.org/) is a DFSG-free cryptography program which is
based on the same concepts as PGP, but which uses unencumbered
cryptographic algorithms.


Getting debian-keyring.{gpg,pgp}
--------------------------------

The current versions of debian-keyring.pgp and debian-keyring.gpg are
always available via rsync from keyring.debian.org (module keyrings).

There is also a (possibly slightly out-of-date) version available on
your nearest debian mirror in debian/doc/debian-keyring.tar.gz and as
the debian-keyring package.

The rsync area on keyring.debian.org is the canonical location for
keyrings and it is what the Debian installer program (dinstall) uses.
If your key is available from there, it will be seen by dinstall.  The
tarball and Debian package are provided for user convenience and are
not necessarily in sync with keyring.debian.org.

That file contains the keyrings, signed copy of keyring md5sums and
this README.  The keyring md5sums will be signed by James Troup.

Using the debian-keyring with gpg
---------------------------------

Add these lines to the bottom of your ~/.gnupg/options file:

keyring /usr/share/keyrings/debian-keyring.gpg
keyring /usr/share/keyrings/debian-keyring.pgp

NOTE: The RSA patent expired in September, 2000, and so GPG (as of version
      1.0.3) has built-in support for RSA keys.  If you are using an older
      version of GPG, you will also need the gpg-rsa package in order to be
      able to use debian-keyring.pgp.

Alternately, you can use "gpg --import" or "pgp -ka" to add the keys in a
keyring to your personal keyring.  You will have to do this every time the
keyrings are updated though, so the above method is usually preferred.

It also possible to use public keyservers on the net directly.  This
requires that you have a working internet connection.
Add a line to your ~/.gnupg/options file such as:

keyserver wwwkeys.pgp.net

or

keyserver keyring.debian.org

Generate a key pair
-------------------

GPG and PGP are used for security, and security can be a bit
tricky. Please read the PGP manual (in /usr/doc/pgp on Debian) before
generating a key pair. The actual generation is trivial. You must use
at least 1024 bits.

The Debian project will only accept new key pairs if they are GPG
keys.

(It's a key pair, because GPG and PGP use public key cryptography.
One of the keys is private, one is public. This is all explained in
the PGP manuals.)

You should also generate a revocation certificate, and store it in a safe
place in the case that you forget your pass phrase, or lose your key(s).

Exchange key signatures with other people
-----------------------------------------

If at all possible, meet other Debian developers in person and sign
each other's keys. Geographical and economical challenges often make
this impossible, but if you can do it, please do.  Signing keys means
verifying that the key and the username belong together. The
signatures can allow other people to trust the key. (This is the "web
of trust" stuff the PGP manual explains about.)

Also exchange key signatures with many other PGP/GPG users. It all
helps to expand and strengthen the PGP/GPG web of trust.

Do *NOT* sign other people's key unless you have met that person face
to face in real life and seen a good form of ID (e.g. passport,
driver's license) to ensure that the person is who they say they are.


Getting your key into the debian keyring
----------------------------------------

If you are an old debian developer who hasn't uploaded your packages
for a long time, and your key is not in the keyring, send a mail to
keyring-maint@debian.org explaining the situation, and including your
public PGP key.

All new maintainers should apply to new-maintainer@debian.org, and
your key(s) will be added to the keyring as part of the admission
process.


Updating your key(s)
--------------------

There is a keyserver running on keyring.debian.org, for any updates of
existing keys please send them there, e.g:

  $ gpg --keyserver=keyring.debian.org --send-keys 0x0123ABCD

To add a new key or remove an existing ones, please send mail to
keyring-maint@debian.org.


What the keyrings are
---------------------

 o debian-keyring.{gpg,pgp}

    This is the canonical Debian keyring.  Anyone who has a key in here
    is a Debian developer.

 o extra-keys.pgp

    This is extra keys used for verification purposes (usually of new
    Debian maintainers).  They don't go into the main keyring because
    PGP keys are deprecated and no new PGP keys are being added into
    the PGP keyring.

o removed-keys.{pgp,gpg}

   These keys are that have been removed from the main keyrings for
   various reasons.  Keys in here could have been duplicates or keys
   belonging to developers who have left the project etc.  These
   keyrings are not available in the debian-keyring package, only in
   the tar ball or via rsync.

   This keyring exists for two reasons only: 1) reference and 2) to
   make it easier to handle developers who rejoin Debian.  It is very
   strongly recommended that you do not use/trust keys in this keyring
   for verification purposes.

Signing your GPG key with your PGP one
--------------------------------------

If you already have a PGP key, but only now made a GPG key, you must
sign your GPG key with your PGP one. This can be done as follows:

o If you have a version of gpg older than 1.0.3 (without RSA
  support) - get the gpg-rsa (or gpg-rsaref, if you live in the US) packages
  and install them.  Newer versions of GPG have RSA support included, as the
  RSA patents expired on that date.  You will also need the gpg-idea package
  regardless of the GPG version in use.

o Find your GPG and PGP key ID's using gpg --list-keys, and pgp -kv
  Read the gpg and pgp documentation for more information.

o Sign your GPG key with your PGP key:
        gpg --load-extension rsa --load-extension idea \
            --secret-keyring ~/.pgp/secring.pgp \
            --keyring ~/.pgp/pubring.pgp \
            --keyring ~/.gnupg/pubring.gpg \
            --default-key 'Your PGP ID' --sign-key 'Your GPG ID'

  If your version of GPG already has RSA included, you may omit the
  --load-extension rsa option.

Acknowledgements
----------------

This README was originally written by Lars Wirzenius, liw@iki.fi.  Now
maintained by James Troup <james@nocrew.org>.  Contributions by
J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl>, Igor Grobman
<igor@debian.org>, Darren Stalder <torin@daft.com> and Norbert Veber
<nveber@primusolutions.net>.

Many thanks to Brendan O'Dea <bod@debian.org> who setup and wrote
support scripts for the keyserver on keyring.debian.org.

