Debian Administration

Working with Debian GPG Keys

All Debian developers have a Gnu Privacy Guard key which was verified as belonging to them when they joined the project. These keys are used to sign packages before they are uploaded to the main archive, for signing messages on mailing lists, etc.

If you wish to be able to verify signatures of signed messages or archives then you will need to have the key of the person who signed it. These keys could be obtained from the public keyservers, but it's much more efficient to download them en masse.

There are two ways to get the keys of all the Debian developers:

• Install the package debian-keyring.
• Rsync directly from keyring.debian.org

The former solution lags behind a little, so it's usually best to get the keys direct from the Debian keyserver if possible.

To do that you should decide where you would like to place them. I place mine inside a directory in my home area called ".debian-keyring".

Once you've done that you can run the following command:

rsync -qcltz --block-size=8192 --partial --progress --exclude=emeritus-* --exclude=removed-* \
keyring.debian.org::keyrings/keyrings/* ~/.debian-keyring

This will download, or update, the keyring files inside ~/.debian-keyring/ - assuming you have the rsync package installed.

Once you have downloaded the keyfiles themselves you'll need to tell your installed version of gpg to use them.

To do that you need to add the following lines to the end of ~/.gnupg/gpg.conf:

keyring ~/.debian-keyring/debian-keyring.pgp
keyring ~/.debian-keyring/debian-keyring.gpg

This will cause your copy of gpg to load and understand the keyring files you've downloaded - you can test that you have a bigger keyring by running:

gpg --list-keys

Or if you want to see a specific key, such as mine, by running:

gpg --list-key skx@debian.org

Add Comment Printable version

 

<<< Mounting encrypted volumes Preventing /tmp from being cleaned on reboot >>>