Kernel developer PGP keyring

If you regularly contribute code to the Linux kernel, you are encouraged to submit your key to be included in the PGP keyring repository. For us to be able to accept it, it must have at least one signature from someone whose key is already in that repository, so we can trace each key’s trust lineage to the head maintainer (Linus Torvalds).

Getting the pgpkeys.git repository

You can clone the repository from the following location:

There are currently the following directories in this repository:

  • keys/: ascii-armoured keys
  • graphs/: svg graphs showing trust paths to Linus Torvalds’ key
  • scripts/: auxiliary helper scripts

Importing keys

Every file in the keys/ directory contains all UIDs belonging to each key, so you can just grep for the person you need:

$ grep -il torvalds *.asc
79BE3E4300411886.asc

You can then gpg --import 79BE3E4300411886.asc into your keyring.

Alternatively, you can import all keys at once by running gpg --import keys/*.asc.

Automatically refreshing keys

First, you should assign full trust to Linus’s key (after importing it into your keyring):

$ gpg --import keys/79BE3E4300411886.asc
$ gpg --edit-key ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg> trust
gpg> 4
gpg> q
$ gpg --check-trustdb

Now, copy the scripts/korg-refresh-keys script to your ~/bin and edit it according to the instructions.

That script will first verify that the latest commit to the repository is signed by a valid key (a key directly signed by you or Linus), and will only process any changes if the commit signature validates.

By default, korg-refresh-keys will run a “merge-only” import – meaning that it will ignore any new keys added to the git repository and will only refresh keys that you already have imported into your keyring. If you would like to automatically import all new keys as they are added, remove --import-options merge-only from the IMPORTFLAGS variable.

Make sure to run chmod a+x ~/bin/korg-refresh-keys after you are done editing the file.

The last step is to set up a nightly cronjob by adding this to your crontab -e:

@daily ~/bin/korg-refresh-keys -q

Alternatively, if you are running a systemd-enabled system, set up a timer instead:

$ cat ~/.config/systemd/user/korg-refresh-keys.timer
[Timer]
OnCalendar=daily
Persistent=yes

[Install]
WantedBy=sockets.target

$ cat ~/.config/systemd/user/korg-refresh-keys.service
[Service]
ExecStart=%h/bin/korg-refresh-keys -q
Type=oneshot

$ systemctl enable --user korg-refresh-keys.timer
$ systemctl start  --user korg-refresh-keys.timer
$ systemctl start  --user korg-refresh-keys.service

Submitting keys to the keyring

If your key is not already in the kernel.org keyring, do the following:

gpg -a --export your@email.addr > export.asc

Send a message to keys@linux.kernel.org with that file as attachment.

You should also upload that file to https://keys.openpgp.org/upload/ to have it listed on the openpgp.org keyserver.

Note, that anything you send to keys@linux.kernel.org will be archived on https://lore.kernel.org/keys for record-keeping purposes.

Updating keys in the keyring

If you’ve made any changes to your key, please export it again:

gpg -a --export your@email.addr > export.asc

Then upload export.asc to https://keys.openpgp.org/upload/. We perform weekly updates to pgpkeys.git with the latest key data from keys.openpgp.org.