Kernel developer PGP keyring
If you regularly contribute code to the Linux kernel, you are encouraged to submit your key to be included in the PGP keyring repository. For us to be able to accept it, it must have at least one signature from someone whose key is already in that repository, so we can trace each key’s trust lineage to the head maintainer (Linus Torvalds).
Getting the pgpkeys.git repository
You can clone the repository from the following location:
There are currently the following directories in this repository:
keys/: ascii-armoured keys
graphs/: svg graphs showing trust paths to Linus Torvalds’ key
scripts/: auxiliary helper scripts
Importing keys
Every file in the keys/ directory contains all UIDs belonging to each key, so you can just grep for the person you need:
$ grep -il torvalds *.asc
79BE3E4300411886.asc
You can then gpg --import 79BE3E4300411886.asc
into your keyring.
Alternatively, you can import all keys at once by running gpg --import
keys/*.asc
.
Automatically refreshing keys
First, you should assign full trust to Linus’s key (after importing it into your keyring):
$ gpg --import keys/79BE3E4300411886.asc
$ gpg --edit-key ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg> trust
gpg> 4
gpg> q
$ gpg --check-trustdb
Now, copy the scripts/korg-refresh-keys
script to your ~/bin
and
edit it according to the instructions.
That script will first verify that the latest commit to the repository is signed by a valid key (a key directly signed by you or Linus), and will only process any changes if the commit signature validates.
By default, korg-refresh-keys
will run a “merge-only” import –
meaning that it will ignore any new keys added to the git repository
and will only refresh keys that you already have imported into your
keyring. If you would like to automatically import all new keys as they
are added, remove --import-options merge-only
from the
IMPORTFLAGS
variable.
Make sure to run chmod a+x ~/bin/korg-refresh-keys
after you are
done editing the file.
The last step is to set up a nightly cronjob by adding this to your
crontab -e
:
@daily ~/bin/korg-refresh-keys -q
Alternatively, if you are running a systemd-enabled system, set up a timer instead:
$ cat ~/.config/systemd/user/korg-refresh-keys.timer
[Timer]
OnCalendar=daily
Persistent=yes
[Install]
WantedBy=sockets.target
$ cat ~/.config/systemd/user/korg-refresh-keys.service
[Service]
ExecStart=%h/bin/korg-refresh-keys -q
Type=oneshot
$ systemctl enable --user korg-refresh-keys.timer
$ systemctl start --user korg-refresh-keys.timer
$ systemctl start --user korg-refresh-keys.service
Submitting keys to the keyring
If your key is not already in the kernel.org keyring, do the following:
gpg -a --export your@email.addr > export.asc
Send a message to keys@linux.kernel.org with that file as attachment.
You should also upload that file to https://keys.openpgp.org/upload/ to have it listed on the openpgp.org keyserver.
Note, that anything you send to keys@linux.kernel.org will be archived on https://lore.kernel.org/keys for record-keeping purposes.
Updating keys in the keyring
If you’ve made any changes to your key, please export it again:
gpg -a --export your@email.addr > export.asc
Then upload export.asc to https://keys.openpgp.org/upload/. We perform weekly updates to pgpkeys.git with the latest key data from keys.openpgp.org.