keyring.debian.org

Debian Public Key Server

This public key server provides simple HKP lookup and add requests for Debian developer and maintainer public keys.

The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions.

Please note that this server is meant only for basic key retreive/update operation, and does not implement search functionality. To search for a specific Debian Developer, use the Developer LDAP Search interface.

Only keys in the Debian keyrings (ie those for DDs and DMs) will be returned by this server and only pre-existing keys will be updated.

You can use the keyring server for the following purposes:

Fetch a key

Once you know the key's ID, just ask the server for it:

$ gpg --keyserver keyring.debian.org --recv-keys 0x2404C9546E145360

Debian keys may also be retrieved by using the form at db.debian.org or:

finger user@db.debian.org

Update your key expiry, add/edit/revoke subkeys or user IDs

Update your expiry locally first; you can follow this tutorial if you need. Similarly, add or change subkeys or user IDs as necessary locally. Then, just send your updated key:

$ gpg --keyserver keyring.debian.org --send-keys 0x2404C9546E145360
gpg: sending key 0x2404C9546E145360 to hkp server keyring.debian.org

You can check the result with --recv-keys, but note it can take up to 15 minutes for your submission to be processed. Your updated key will then be included into the active keyring in our next keyring push (which happens approx. monthly).

Sign somebody's key

Please don't sign other person's key and upload to a keyring server!
We recommend you to follow a protocol that ensures the other person has actual control of the e-mail addresses listed in their key. The most common tools used in Debian to do this is caff, in the signing-party package.

Add new signatures to your key

Receive and add the signatures to your local key, and just push it to our server:

$ gpg --keyserver keyring.debian.org --send-keys 0x2404C9546E145360
gpg: sending key 0x2404C9546E145360 to hkp server keyring.debian.org
	

New signatures will be included in our next keyring push (which happens approx. monthly)

Replace your key

To replace an existing key or remove a key from the Debian keyring, file an RT request by sending email to keyring@rt.debian.org with the words 'Debian RT' somewhere in the subject line (case doesn't matter, and please remember to include something descriptive as well). Unfortunately RT mangles PGP/MIME so you need to put any signatures inline (more information regarding inline-signing). If you are replacing a key, you should read the rules for key replacement in the Debian keyring. New keys should be larger than 1024 bits and capable of hashes stronger than SHA1; see the GnuPG key creation guide.

Revoke a key

If you have any reason to believe your key has been compromised, or there is any strong reason for you stop trusting your key, do upload your revocation certificate right away to the keyserver, and file an RT request as described above. We will act as quickly as possible.

Retire from Debian

As described in the Debian Developers' Reference, in order to properly retire from Debian, you should:

1. Orphan all your packages.
2. Send an gpg-signed email announcing your retirement to <debian-private@lists.debian.org>.
3. Notify the Debian key ring maintainers that you are leaving by opening a ticket in Debian RT by sending a mail to <keyring@rt.debian.org> with the words 'Debian RT' somewhere in the subject line (case doesn't matter).
4. If you received mails via a @debian.org e-mail alias (e.g. press@debian.org) and would like to get removed, open a RT ticket for the Debian System Administrators. Just send an e-mail to <admin@rt.debian.org> with "Debian RT" somewhere in the subject stating from which aliases you'd like to get removed.

To update a key that is already present in the keyring (say, for updating the expiry date, adding identities/subkeys, or uploading more signatures), just send it via HKP (ie with --send-keys under gpg). Note that we will not automatically import any information from the public keyserver network. Updates need to be sent to keyring.debian.org directly as described above.

Updated keys sent via HKP will be folded into the active Debian keyring at least once a month.

Accessing the keyrings

This server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:

rsync -az --progress keyring.debian.org::keyrings/keyrings/ .

Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms. Details of the public interfaces to the keyring and the ways in which they are updated can be found in the keyring workflow documentation.

See the www.debian.org for more information about the Debian Project.

keyring.debian.org only deals with keys for Debian project Member. Please do not send add requests for your key if you are not an existing DD or DM; the Debian Account Managers will submit the key add request for new members when they successfully complete the New Member process.