Debian Public Key Server
This public key server provides simple HKP lookup and add requests for Debian developer and maintainer public keys.
The server may be accessed with gpg by using the
--keyserver
option in combination with either of the
--recv-keys
or --send-keys
actions.
Please note that this server is meant only for basic key retreive/update operation, and does not implement search functionality. To search for a specific Debian Developer, use the Developer LDAP Search interface.
Only keys in the Debian keyrings (ie those for DDs and DMs) will be returned by this server and only pre-existing keys will be updated.
You can use the keyring server for the following purposes:
- Fetch a key
- Once you know the key's ID, just ask the server for
it:
$ gpg --keyserver keyring.debian.org --recv-keys 0x2404C9546E145360
Debian keys may also be retrieved by using the form at db.debian.org or:finger user@db.debian.org
- Update your key expiry, add/edit/revoke subkeys or user IDs
- Update your expiry locally first; you can
follow
this tutorial if you need. Similarly, add or change
subkeys or user IDs as necessary locally. Then, just send
your updated key:
$ gpg --keyserver keyring.debian.org --send-keys 0x2404C9546E145360 gpg: sending key 0x2404C9546E145360 to hkp server keyring.debian.org
You can check the result with--recv-keys
, but note it can take up to 15 minutes for your submission to be processed. Your updated key will then be included into the active keyring in our next keyring push (which happens approx. monthly). - Sign somebody's key
- Please don't sign other person's key and upload to a
keyring server!
We recommend you to follow a protocol that ensures the other person has actual control of the e-mail addresses listed in their key. The most common tools used in Debian to do this is caff, in the signing-party package. - Add new signatures to your key
- Receive and add the signatures to your local key, and just
push it to our server:
$ gpg --keyserver keyring.debian.org --send-keys 0x2404C9546E145360 gpg: sending key 0x2404C9546E145360 to hkp server keyring.debian.org
New signatures will be included in our next keyring push (which happens approx. monthly) - Replace your key
- To replace an existing key or remove a key from the Debian
keyring, file an RT request by sending email to
keyring@rt.debian.org
with the words '
Debian RT
' somewhere in the subject line (case doesn't matter, and please remember to include something descriptive as well). Unfortunately RT mangles PGP/MIME so you need to put any signatures inline (more information regarding inline-signing). If you are replacing a key, you should read the rules for key replacement in the Debian keyring. New keys should be larger than 1024 bits and capable of hashes stronger than SHA1; see the GnuPG key creation guide. - Revoke a key
- If you have any reason to believe your key has been compromised, or there is any strong reason for you stop trusting your key, do upload your revocation certificate right away to the keyserver, and file an RT request as described above. We will act as quickly as possible.
- Retire from Debian
- As described
in the Debian Developers' Reference, in order to properly
retire from Debian, you should:
- Orphan all your packages.
- Send an gpg-signed email announcing your retirement to <debian-private@lists.debian.org>.
- Notify the Debian key ring maintainers that you are leaving by opening a ticket in Debian RT by sending a mail to <keyring@rt.debian.org> with the words 'Debian RT' somewhere in the subject line (case doesn't matter).
- If you received mails via a @debian.org e-mail alias (e.g. press@debian.org) and would like to get removed, open a RT ticket for the Debian System Administrators. Just send an e-mail to <admin@rt.debian.org> with "Debian RT" somewhere in the subject stating from which aliases you'd like to get removed.
To update a key that is already present in the keyring (say, for updating the expiry date, adding identities/subkeys, or uploading more signatures), just send it via HKP (ie with --send-keys under gpg). Note that we will not automatically import any information from the public keyserver network. Updates need to be sent to keyring.debian.org directly as described above.
Updated keys sent via HKP will be folded into the active Debian keyring at least once a month.
Accessing the keyrings
This server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:
rsync -az --progress keyring.debian.org::keyrings/keyrings/ .
Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms. Details of the public interfaces to the keyring and the ways in which they are updated can be found in the keyring workflow documentation.
See the www.debian.org for more information about the Debian Project.
keyring.debian.org only deals with keys for Debian project Member. Please do not send add requests for your key if you are not an existing DD or DM; the Debian Account Managers will submit the key add request for new members when they successfully complete the New Member process.