Kernel developer PGP keyring¶
If you regularly contribute code to the Linux kernel, you are encouraged to submit your key to be included in the PGP keyring repository. For us to be able to accept it, it must have at least one signature from someone whose key is already in that repository, so we can trace each key’s trust lineage to the head maintainer (Linus Torvalds).
Getting the pgpkeys.git repository¶
You can clone the repository from the following location:
There are currently the following directories in this repository:
- keys/: ascii-armoured keys
- graphs/: svg graphs showing trust paths to Linus Torvalds’ key
- scripts/: auxiliary helper scripts
Every file in the keys/ directory contains all UIDs belonging to each key, so you can just grep for the person you need:
$ grep -il torvalds *.asc 79BE3E4300411886.asc
You can then
gpg --import 79BE3E4300411886.asc into your keyring.
Alternatively, you can import all keys at once by running
Automatically refreshing keys¶
First, you should assign full trust to Linus’s key (after importing it into your keyring):
$ gpg --import keys/79BE3E4300411886.asc $ gpg --edit-key 79BE3E4300411886 gpg> trust gpg> 4 gpg> q $ gpg --check-trustdb
Now, copy the
scripts/korg-refresh-keys script to your
edit it according to the instructions.
That script will first verify that the latest commit to the repository is signed by a valid key (a key directly signed by you or Linus), and will only process any changes if the commit signature validates.
korg-refresh-keys will run a “merge-only” import –
meaning that it will ignore any new keys added to the git repository
and will only refresh keys that you already have imported into your
keyring. If you would like to automatically import all new keys as they
are added, remove
--import-options merge-only from the
Make sure to run
chmod a+x ~/bin/korg-refresh-keys after you are
done editing the file.
The last step is to set up a nightly cronjob by adding this to your
@daily ~/bin/korg-refresh-keys -q
Alternatively, if you are running a systemd-enabled system, set up a timer instead:
$ cat ~/.config/systemd/user/korg-refresh-keys.timer [Timer] OnCalendar=daily Persistent=yes [Install] WantedBy=sockets.target $ cat ~/.config/systemd/user/korg-refresh-keys.service [Service] ExecStart=%h/bin/korg-refresh-keys -q Type=oneshot $ systemctl enable --user korg-refresh-keys.timer $ systemctl start --user korg-refresh-keys.timer $ systemctl start --user korg-refresh-keys.service
Submitting keys to the keyring¶
If your key is not already in the kernel.org keyring, do the following:
gpg -a --export email@example.com > export.asc
Send a message to firstname.lastname@example.org with that file as attachment.
You should also upload that file to https://keys.openpgp.org/upload/ to have it listed on the openpgp.org keyserver.