source/pgpkeys.rst - pub/scm/docs/docsko/korg.git - Git at Google

 Kernel developer PGP keyring
 ============================

 If you regularly contribute code to the Linux kernel, you are encouraged
 to submit your key to be included in the PGP keyring repository. For us
 to be able to accept it, it must have at least one signature from
 someone whose key is already in that repository, so we can trace each
 key's trust lineage to the head maintainer (Linus Torvalds). Use the
 :doc:`ksmap` to find developers who can sign your key.

 Getting the pgpkeys.git repository
 ----------------------------------

 You can clone the repository from the following location:

  - https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git

 There are currently the following directories in this repository:

  - keys/:    ascii-armoured keys
  - graphs/:  svg graphs showing trust paths to Linus Torvalds' key
  - scripts/: auxiliary helper scripts

 Importing keys
 --------------

 Every file in the keys/ directory contains all UIDs belonging to each
 key, so you can just grep for the person you need::

     $ grep -il torvalds *.asc
     79BE3E4300411886.asc

 You can then ``gpg --import 79BE3E4300411886.asc`` into your keyring.

 Alternatively, you can import all keys at once by running ``gpg --import
 keys/*.asc``.

 Automatically refreshing keys
 -----------------------------

 First, you should assign full trust to Linus's key (after importing it
 into your keyring)::

     $ gpg --import keys/79BE3E4300411886.asc
     $ gpg --edit-key ABAF11C65A2970B130ABE3C479BE3E4300411886
     gpg> trust
     gpg> 4
     gpg> q
     $ gpg --check-trustdb

 Now, copy the ``scripts/korg-refresh-keys`` script to your ``~/bin`` and
 edit it according to the instructions.

 That script will first verify that the latest commit to the repository
 is signed by a valid key (a key directly signed by you or Linus), and
 will only process any changes if the commit signature validates.

 By default, ``korg-refresh-keys`` will run a "merge-only" import --
 meaning that it will ignore any *new* keys added to the git repository
 and will only refresh keys that you already have imported into your
 keyring. If you would like to automatically import all new keys as they
 are added, remove ``--import-options merge-only`` from the
 ``IMPORTFLAGS`` variable.

 Make sure to run ``chmod a+x ~/bin/korg-refresh-keys`` after you are
 done editing the file.

 The last step is to set up a nightly cronjob by adding this to your
 ``crontab -e``::

     @daily ~/bin/korg-refresh-keys -q

 Alternatively, if you are running a systemd-enabled system, set up a
 timer instead::

     $ cat ~/.config/systemd/user/korg-refresh-keys.timer
     [Timer]
     OnCalendar=daily
     Persistent=yes

     [Install]
     WantedBy=sockets.target

     $ cat ~/.config/systemd/user/korg-refresh-keys.service
     [Service]
     ExecStart=%h/bin/korg-refresh-keys -q
     Type=oneshot

     $ systemctl enable --user korg-refresh-keys.timer
     $ systemctl start  --user korg-refresh-keys.timer
     $ systemctl start  --user korg-refresh-keys.service

 Submitting keys to the keyring
 ------------------------------

 If your key is *not already* in the kernel.org keyring, do the
 following::

     gpg -a --export your@email.addr > export.asc

 Send a message to keys@linux.kernel.org with that file as attachment.

 You should also upload that file to https://keys.openpgp.org/upload/ to
 have it listed on the openpgp.org keyserver.

 Note, that anything you send to keys@linux.kernel.org will be archived
 on https://lore.kernel.org/keys for record-keeping purposes.

 Updating keys in the keyring
 ----------------------------

 If you've made any changes to your key, please export it again::

     gpg -a --export your@email.addr > export.asc

 Then upload export.asc to https://keys.openpgp.org/upload/. We perform
 periodic updates to pgpkeys.git with the latest key data from keys.openpgp.org.

 If the update is urgent, such as when you need to revoke a key or update
 the expiration date on a key that's about to expire, follow the
 "Submitting keys to the keyring" procedure described above.
	Kernel developer PGP keyring
	============================

	If you regularly contribute code to the Linux kernel, you are encouraged
	to submit your key to be included in the PGP keyring repository. For us
	to be able to accept it, it must have at least one signature from
	someone whose key is already in that repository, so we can trace each
	key's trust lineage to the head maintainer (Linus Torvalds). Use the
	:doc:`ksmap` to find developers who can sign your key.

	Getting the pgpkeys.git repository
	----------------------------------

	You can clone the repository from the following location:

	- https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git

	There are currently the following directories in this repository:

	- keys/: ascii-armoured keys
	- graphs/: svg graphs showing trust paths to Linus Torvalds' key
	- scripts/: auxiliary helper scripts

	Importing keys
	--------------

	Every file in the keys/ directory contains all UIDs belonging to each
	key, so you can just grep for the person you need::

	$ grep -il torvalds *.asc
	79BE3E4300411886.asc

	You can then ``gpg --import 79BE3E4300411886.asc`` into your keyring.

	Alternatively, you can import all keys at once by running ``gpg --import
	keys/*.asc``.

	Automatically refreshing keys
	-----------------------------

	First, you should assign full trust to Linus's key (after importing it
	into your keyring)::

	$ gpg --import keys/79BE3E4300411886.asc
	$ gpg --edit-key ABAF11C65A2970B130ABE3C479BE3E4300411886
	gpg> trust
	gpg> 4
	gpg> q
	$ gpg --check-trustdb

	Now, copy the ``scripts/korg-refresh-keys`` script to your ``~/bin`` and
	edit it according to the instructions.

	That script will first verify that the latest commit to the repository
	is signed by a valid key (a key directly signed by you or Linus), and
	will only process any changes if the commit signature validates.

	By default, ``korg-refresh-keys`` will run a "merge-only" import --
	meaning that it will ignore any new keys added to the git repository
	and will only refresh keys that you already have imported into your
	keyring. If you would like to automatically import all new keys as they
	are added, remove ``--import-options merge-only`` from the
	``IMPORTFLAGS`` variable.

	Make sure to run ``chmod a+x ~/bin/korg-refresh-keys`` after you are
	done editing the file.

	The last step is to set up a nightly cronjob by adding this to your
	``crontab -e``::

	@daily ~/bin/korg-refresh-keys -q

	Alternatively, if you are running a systemd-enabled system, set up a
	timer instead::

	$ cat ~/.config/systemd/user/korg-refresh-keys.timer
	[Timer]
	OnCalendar=daily
	Persistent=yes

	[Install]
	WantedBy=sockets.target

	$ cat ~/.config/systemd/user/korg-refresh-keys.service
	[Service]
	ExecStart=%h/bin/korg-refresh-keys -q
	Type=oneshot

	$ systemctl enable --user korg-refresh-keys.timer
	$ systemctl start --user korg-refresh-keys.timer
	$ systemctl start --user korg-refresh-keys.service

	Submitting keys to the keyring
	------------------------------

	If your key is not already in the kernel.org keyring, do the
	following::

	gpg -a --export your@email.addr > export.asc

	Send a message to keys@linux.kernel.org with that file as attachment.

	You should also upload that file to https://keys.openpgp.org/upload/ to
	have it listed on the openpgp.org keyserver.

	Note, that anything you send to keys@linux.kernel.org will be archived
	on https://lore.kernel.org/keys for record-keeping purposes.

	Updating keys in the keyring
	----------------------------

	If you've made any changes to your key, please export it again::

	gpg -a --export your@email.addr > export.asc

	Then upload export.asc to https://keys.openpgp.org/upload/. We perform
	periodic updates to pgpkeys.git with the latest key data from keys.openpgp.org.

	If the update is urgent, such as when you need to revoke a key or update
	the expiration date on a key that's about to expire, follow the
	"Submitting keys to the keyring" procedure described above.