Linux developer PGP keys
The purpose of this repository is to help distribute Linux kernel developer PGP keys that have valid trust paths to Linus Torvalds.
There are currently the following directories in this repository:
- keys/: ascii-armoured keys
- graphs/: svg graphs showing trust paths to Linus Torvalds' key
- scripts/: auxiliary helper scripts
Importing keys
Every file in the keys/ directory contains all UIDs, so you can just grep for the person you need:
$ grep -il torvalds *.asc 79BE3E4300411886.asc
You can then gpg --import 79BE3E4300411886.asc into your keyring.
Refreshing keys
First, you should assign full trust to Linus's key:
$ gpg --edit-key 79BE3E4300411886 gpg> trust gpg> 4 gpg> q $ gpg --check-trustdb
Now, copy the scripts/korg-refresh-keys script to your ~/bin and edit it according to the instructions.
That script will first verify that the latest commit to the repository is signed by a valid key (a key directly signed by you or Linus), and then will run a merge-only import -- meaning that it will ignore any new keys added to the git repository and will only refresh keys that you already have imported into your keyring.
Make sure to run chmod a+x ~/bin/korg-refresh-keys after you are done.
The last step is to set up a nightly cronjob by adding this to your crontab -e:
@daily ~/bin/korg-refresh-keys -q
Alternatively, if you are running a systemd-enabled system, set up a timer instead:
$ cat ~/.config/systemd/user/korg-refresh-keys.timer [Timer] OnCalendar=daily Persistent=yes [Install] WantedBy=sockets.target $ cat ~/.config/systemd/user/korg-refresh-keys.service [Service] ExecStart=%h/bin/korg-refresh-keys -q Type=oneshot $ systemctl enable --user korg-refresh-keys.timer $ systemctl start --user korg-refresh-keys.timer $ systemctl start --user korg-refresh-keys.service
Submitting keys to the keyring
If you are in MAINTAINERS or regularly submit patches or pull requests to other maintainers, you should consider submitting your own public key for inclusion into this repository. Note, that your key should be signed by at least one other key already present in this repository in order to qualify.
For now, the easiest way to submit your key is to run the following:
gpg -a --export your@email.addr | mail -s your@email.addr keys@linux.kernel.org
If your mail command does not deliver mail properly, you can export to a file and copy-paste that into the email body instead.
Note, that anything you send to keys@linux.kernel.org will be archived on https://lore.kernel.org/keys.