Posted by Steve on Thu 20 Jan 2005 at 14:00
All Debian developers have a Gnu Privacy Guard key which was verified as belonging to them when they joined the project. These keys are used to sign packages before they are uploaded to the main archive, for signing messages on mailing lists, etc.
If you wish to be able to verify signatures of signed messages or archives then you will need to have the key of the person who signed it. These keys could be obtained from the public keyservers, but it's much more efficient to download them en masse.
There are two ways to get the keys of all the Debian developers:
The former solution lags behind a little, so it's usually best to get the keys direct from the Debian keyserver if possible.
To do that you should decide where you would like to place them. I place mine inside a directory in my home area called ".debian-keyring".
Once you've done that you can run the following command:
rsync -qcltz --block-size=8192 --partial --progress --exclude=emeritus-* --exclude=removed-* \ keyring.debian.org::keyrings/keyrings/* ~/.debian-keyring
This will download, or update, the keyring files inside ~/.debian-keyring/ - assuming you have the rsync package installed.
Once you have downloaded the keyfiles themselves you'll need to tell your installed version of gpg to use them.
To do that you need to add the following lines to the end of ~/.gnupg/gpg.conf:
keyring ~/.debian-keyring/debian-keyring.pgp keyring ~/.debian-keyring/debian-keyring.gpg
This will cause your copy of gpg to load and understand the keyring files you've downloaded - you can test that you have a bigger keyring by running:
gpg --list-keys
Or if you want to see a specific key, such as mine, by running:
gpg --list-key skx@debian.org
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2005 Steve - please ask for permission to republish or translate.