README.rst - pub/scm/docs/kernel/pgpkeys - Git at Google

 Linux developer PGP keys
 ------------------------

 The purpose of this repository is to help distribute Linux kernel
 developer PGP keys that have valid trust paths to Linus Torvalds.

 There are currently the following directories in this repository:

  - keys/:    ascii-armoured keys
  - graphs/:  svg graphs showing trust paths to Linus Torvalds' key
  - scripts/: auxiliary helper scripts

 Importing keys
 --------------

 Every file in the keys/ directory contains all UIDs, so you can just
 grep for the person you need::

     $ grep -il torvalds *.asc
     79BE3E4300411886.asc

 You can then `gpg --import 79BE3E4300411886.asc` into your keyring.

 Refreshing keys
 ---------------

 First, you should assign full trust to Linus's key::

     $ gpg --edit-key 79BE3E4300411886
     gpg> trust
     gpg> 4
     gpg> q
     $ gpg --check-trustdb

 Now, copy the `scripts/korg-refresh-keys` script to your `~/bin` and
 edit it according to the instructions.

 That script will first verify that the latest commit to the repository
 is signed by a valid key (a key directly signed by you or Linus), and
 then will run a `merge-only` import -- meaning that it will ignore any
 *new* keys added to the git repository and will only refresh keys that
 you already have imported into your keyring.

 Make sure to run `chmod a+x ~/bin/korg-refresh-keys` after you are done.

 The last step is to set up a nightly cronjob by adding this to your
 `crontab -e`::

     @daily ~/bin/korg-refresh-keys -q

 Alternatively, if you are running a systemd-enabled system, set up a
 timer instead::

     $ cat ~/.config/systemd/user/korg-refresh-keys.timer
     [Timer]
     OnCalendar=daily
     Persistent=yes

     [Install]
     WantedBy=sockets.target

     $ cat ~/.config/systemd/user/korg-refresh-keys.service
     [Service]
     ExecStart=%h/bin/korg-refresh-keys -q
     Type=oneshot

     $ systemctl enable --user korg-refresh-keys.timer
     $ systemctl start  --user korg-refresh-keys.timer
     $ systemctl start  --user korg-refresh-keys.service

 Submitting keys to the keyring
 ------------------------------

 If you are in MAINTAINERS or regularly submit patches or pull requests
 to other maintainers, you should consider submitting your own public key
 for inclusion into this repository. Note, that your key should be signed
 by at least one other key already present in this repository in order to
 qualify.

 For now, the easiest way to submit your key is to run the following::

     gpg -a --export your@email.addr | mail -s your@email.addr keys@linux.kernel.org

 If your `mail` command does not deliver mail properly, you can export to
 a file and copy-paste that into the email body instead.

 Note, that anything you send to keys@linux.kernel.org will be archived
 on https://lore.kernel.org/keys.
	Linux developer PGP keys
	------------------------

	The purpose of this repository is to help distribute Linux kernel
	developer PGP keys that have valid trust paths to Linus Torvalds.

	There are currently the following directories in this repository:

	- keys/: ascii-armoured keys
	- graphs/: svg graphs showing trust paths to Linus Torvalds' key
	- scripts/: auxiliary helper scripts

	Importing keys
	--------------

	Every file in the keys/ directory contains all UIDs, so you can just
	grep for the person you need::

	$ grep -il torvalds *.asc
	79BE3E4300411886.asc

	You can then `gpg --import 79BE3E4300411886.asc` into your keyring.

	Refreshing keys
	---------------

	First, you should assign full trust to Linus's key::

	$ gpg --edit-key 79BE3E4300411886
	gpg> trust
	gpg> 4
	gpg> q
	$ gpg --check-trustdb

	Now, copy the `scripts/korg-refresh-keys` script to your `~/bin` and
	edit it according to the instructions.

	That script will first verify that the latest commit to the repository
	is signed by a valid key (a key directly signed by you or Linus), and
	then will run a `merge-only` import -- meaning that it will ignore any
	new keys added to the git repository and will only refresh keys that
	you already have imported into your keyring.

	Make sure to run `chmod a+x ~/bin/korg-refresh-keys` after you are done.

	The last step is to set up a nightly cronjob by adding this to your
	`crontab -e`::

	@daily ~/bin/korg-refresh-keys -q

	Alternatively, if you are running a systemd-enabled system, set up a
	timer instead::

	$ cat ~/.config/systemd/user/korg-refresh-keys.timer
	[Timer]
	OnCalendar=daily
	Persistent=yes

	[Install]
	WantedBy=sockets.target

	$ cat ~/.config/systemd/user/korg-refresh-keys.service
	[Service]
	ExecStart=%h/bin/korg-refresh-keys -q
	Type=oneshot

	$ systemctl enable --user korg-refresh-keys.timer
	$ systemctl start --user korg-refresh-keys.timer
	$ systemctl start --user korg-refresh-keys.service

	Submitting keys to the keyring
	------------------------------

	If you are in MAINTAINERS or regularly submit patches or pull requests
	to other maintainers, you should consider submitting your own public key
	for inclusion into this repository. Note, that your key should be signed
	by at least one other key already present in this repository in order to
	qualify.

	For now, the easiest way to submit your key is to run the following::

	gpg -a --export your@email.addr \| mail -s your@email.addr keys@linux.kernel.org

	If your `mail` command does not deliver mail properly, you can export to
	a file and copy-paste that into the email body instead.

	Note, that anything you send to keys@linux.kernel.org will be archived
	on https://lore.kernel.org/keys.