content/signature.rst - pub/scm/docs/kernel/website - Git at Google

 Linux kernel releases PGP signatures
 ====================================

 :date: 2016-08-15
 :slug: signature
 :category: Signatures

 All kernel releases are cryptographically signed using OpenPGP-compliant
 signatures. Everyone is strongly encouraged to verify the integrity of
 downloaded kernel releases by verifying the corresponding signatures.

 **Linux kernel releases and all other files distributed via kernel.org
 mirrors are no longer signed by one centrally issued key. You will need
 to rely on the PGP Web of Trust in order to verify the authenticity of
 downloaded archives.**

 Basic concepts
 --------------
 Every kernel release comes with a cryptographic signature from the
 person making the release. This cryptographic signature allows anyone to
 verify whether the files have been modified or otherwise tampered with
 since the developer created and signed them. The signing and
 verification process uses public-key cryptography and it is next to
 impossible to forge a PGP signature without first gaining access to the
 developer's private key. If this does happen, the developers will revoke
 the compromised key and will re-sign all their previously signed
 releases with the new key.

 To learn more about the way PGP works, please consult Wikipedia_.

 .. _Wikipedia: https://en.wikipedia.org/wiki/Pretty_Good_Privacy#How_PGP_encryption_works

 Kernel.org web of trust
 -----------------------
 In order for this section to make sense, you should first familiarize
 yourself with the way PGP Web of Trust works. You can start by reading
 the `Wikipedia article`_ on the subject.

 In a few words, **PGP keys used by members of kernel.org are
 cross-signed by other members of kernel.org** (and, frequently, by many
 other people). If you wanted to verify the validity of any key
 belonging to a member of kernel.org, you could review the list of
 signatures on their public key and then make a decision whether you trust
 that key or not. This article from the GnuPG manual is a good first step
 towards understanding how you can use PGP trust relationships to
 validate keys: `Using trust to validate keys`_.

 In order to become part of the kernel.org web of trust, you should
 locate kernel.org members in your geographical area, then verify and
 cross-sign your keys. To locate members of kernel.org in your area, you
 can use the `Keysign Map`_ created for this purpose, or you may attend a
 `Linux kernel development conference`_ and join a key signing event.

 Once you have verified and signed a few keys, you can use the trust
 relationship established in the process to verify other keys used in the
 kernel.org web of trust.

 .. _`Wikipedia article`: https://en.wikipedia.org/wiki/Web_of_trust
 .. _`Using trust to validate keys`: https://www.gnupg.org/gph/en/manual.html#AEN385
 .. _`Keysign Map`: https://kernel.org/ksmap
 .. _`Linux kernel development conference`: http://events.linuxfoundation.org/

 Using GnuPG to verify kernel signatures
 ---------------------------------------
 All software released via kernel.org has corresponding PGP signatures.
 It should not be possible to upload any files to the kernel.org mirrors
 without providing a trusted PGP signature to go along with them.

 To better illustrate the verification process, let's use Linux 4.6.6
 release as a walk-through example. First, use "``wget``" or "``curl
 -O``" to download the release and the corresponding signature::

     $ wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.xz
     $ wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.sign

 You will notice that the signature is made against the uncompressed
 version of the archive. This is done so there is only one signature
 required for .gz and .xz compressed versions of the release. Start
 by uncompressing the archive, using ``unxz`` in our case::

     $ unxz linux-4.6.6.tar.xz

 Now verify the .tar archive against the signature::

     $ gpg2 --verify linux-4.6.6.tar.sign

 You can combine these steps into a one-liner::

     $ xz -cd linux-4.6.6.tar.xz | gpg2 --verify linux-4.6.6.tar.sign -

 The likely output will be::

     gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT using RSA key ID 38DBBDC86092693E
     gpg: Can't check signature: No public key

 You will need to first download the public key from the PGP keyserver in
 order to verify the signature. Look at the first line of the output and
 note the "key ID" listed, which in our example is ``38DBBDC86092693E``. Now
 download this key from the key servers::

     $ gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 38DBBDC86092693E
     gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" imported
     gpg: Total number processed: 1
     gpg:               imported: 1

 Let's rerun "``gpg2 --verify``"::

     $ gpg2 --verify linux-4.6.6.tar.sign
     gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT using RSA key ID 38DBBDC86092693E
     gpg: Good signature from "Greg Kroah-Hartman
          (Linux kernel stable release signing key) <greg@kroah.com>"
     gpg: WARNING: This key is not certified with a trusted signature!
     gpg:          There is no indication that the signature belongs to the owner.
     Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

 Notice the **WARNING: This key is not certified with a trusted
 signature!** You will now need to verify that the key used to sign the
 archive really does belong to the owner (in our example, Greg
 Kroah-Hartman). There are several ways you can do this:

 1. Use the `Kernel.org web of trust`_. This will require that you first
    locate the members of kernel.org in your area and sign their keys.
    **Short of meeting the actual owner of the PGP key in real life, this
    is your best option to verify the validity of a PGP key signature.**
 2. Review the list of signatures on the developer's key by using "``gpg
    --list-sigs``". Email as many people who have signed the key as
    possible, preferably at different organizations (or at least
    different domains). Ask them to confirm that they have signed the key
    in question. You should attach at best marginal trust to the
    responses you receive in this manner (if you receive any).
 3. Use the following site to see trust paths from Linus Torvalds' key to
    the key used to sign the tarball: `pgp.cs.uu.nl`_. Put Linus's key
    into the "from" field and the key you got in the output above into
    the "to" field. Normally, only Linus or people with Linus's direct
    signature will be in charge of releasing kernels. Here's the example
    `from Linus Torvalds to Greg Kroah-Hartman`_.

 Here are key fingerprints for Linus Torvalds and Greg Kroah-Hartman, who
 are most likely to be releasing kernels:

 .. table::

     ================== ======================================================
     Developer          Fingerprint
     ================== ======================================================
     Linus Torvalds     ``ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886``
     Greg Kroah-Hartman ``647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E``
     ================== ======================================================

 Please verify the TLS certificate for this site in your browser before
 trusting the above information.

 .. _`pgp.cs.uu.nl`: https://pgp.cs.uu.nl/mk_path.cgi?STAT=ABAF11C65A2970B130ABE3C479BE3E4300411886
 .. _`from Linus Torvalds to Greg Kroah-Hartman`: https://pgp.cs.uu.nl/mk_path.cgi?FROM=ABAF11C65A2970B130ABE3C479BE3E4300411886&TO=647F28654894E3BD457199BE38DBBDC86092693E&PATHS=trust+paths

 If you get "BAD signature"
 --------------------------
 If at any time you see "BAD signature" output from "``gpg --verify``",
 please first check the following first:

 1. **Make sure that you are verifying the signature against the .tar
    version of the archive, not the compressed (.tar.xz) version.**
 2. Make sure the the downloaded file is correct and not truncated or
    otherwise corrupted.

 If you repeatedly get the same "BAD signature" output, email
 ftpadmin@kernel.org immediately, so we can investigate the problem.

 Kernel.org checksum autosigner and sha256sums.asc
 -------------------------------------------------
 We have a dedicated off-the-network system that connects directly to our
 central attached storage and calculates checksums for all uploaded
 software releases. The generated ``sha256sums.asc`` file is then signed
 with a PGP key generated for this purpose and that doesn't exist outside
 of that system.

 These checksums are **NOT** intended to replace the web of trust. It is
 merely a way for someone to quickly verify whether contents on one of
 the many kernel.org mirrors match the contents on the master mirror.
 While you may use them to quickly verify whether what you have
 downloaded matches what we have on our central storage system, you
 should still use the GPG web of trust to verify whether the release
 tarball actually matches what the kernel developer published.

 Kernel releases prior to September, 2011
 ----------------------------------------
 Prior to September, 2011 all kernel releases were signed automatically by
 the same PGP key::

     pub   1024D/517D0F0E 2000-10-10 [revoked: 2011-12-11]
           Key fingerprint = C75D C40A 11D7 AF88 9981  ED5B C86B A06A 517D 0F0E
     uid                  Linux Kernel Archives Verification Key <ftpadmin@kernel.org>

 Due to the kernel.org systems compromise, this key has been retired and
 revoked. **It will no longer be used to sign future releases and you
 should NOT use this key to verify the integrity of any archives. It is
 almost certain that this key has fallen into malicious hands.**

 All kernel releases that were previously signed with this key were
 cross-checked and signed with another key, created specifically
 for this purpose::

     pub   3072R/C4790F9D 2013-08-08
           Key fingerprint = BFA7 DD3E 0D42 1C9D B6AB  6527 0D3B 3537 C479 0F9D
     uid   Linux Kernel Archives Verification Key
           (One-off resigning of old releases) <ftpadmin@kernel.org>

 This key has been destroyed and will not be used to sign any new releases.

 Revocation certificates
 -----------------------
 The following revocation certificates have been issued for keys used in
 the past to sign kernel.org software releases:

 Key ID 0x517D0F0E
 ~~~~~~~~~~~~~~~~~
 Key fingerprint::

     pub   1024D/517D0F0E 2000-10-10 [revoked: 2011-12-11]
           Key fingerprint = C75D C40A 11D7 AF88 9981  ED5B C86B A06A 517D 0F0E
     uid                  Linux Kernel Archives Verification Key <ftpadmin@kernel.org>

 Revocation certificate::

     -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: GnuPG v1.4.11 (GNU/Linux)
     Comment: A revocation certificate should follow

     iIkEIBECAEkFAk7lL6xCHQJLZXkgd2FzIHVzZWQgdG8gYXV0b3NpZ25pbmc7IGF1
     dG9zaWduaW5nIHNlcnZlciB3YXMgY29tcHJvbWlzZWQuAAoJEMhroGpRfQ8OS7EA
     nikD5S7mmNM0QRX+H4BDxvdWzXWyAKCTuDGOdLoZs8gnl/G5UKVjX9mVkg==
     =eL49
     -----END PGP PUBLIC KEY BLOCK-----

 Key ID 0x1E1A8782
 ~~~~~~~~~~~~~~~~~
 Key fingerprint::

     pub   1024D/1E1A8782 1999-10-05 [revoked: 2000-10-10]
           Key fingerprint = 9DB4 C3A4 EF2A 3111 9072  82F3 F2A5 75DC 1E1A 8782
     uid                  Linux Kernel Archives Verification Key <ftpadmin@kernel.org>

 Revocation certificate::

     -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: GnuPG v1.0.0 (GNU/Linux)
     Comment: For info see http://www.gnupg.org
     Comment: A revocation certificate should follow

     iEYEIBECAAYFAjnisTIACgkQ8qV13B4ah4K3DgCfShKQe2kfz68OKu0WwEzgKkAE
     vIQAn3Y8CTCRZ9QEIwsIs93F501VUtPs
     =l5FV
     -----END PGP PUBLIC KEY BLOCK-----

 Key ID 0x514C5279
 ~~~~~~~~~~~~~~~~~
 Key fingerprint::

     pub   1024R/514C5279 1998-12-16 [revoked: 1999-10-05]
           Key fingerprint = 59 B1 5F 6F E3 13 4C 8B  33 E5 14 35 21 F1 D1 03
     uid                  Linux Kernel Archives <ftpadmin@kernel.org>

 Revocation certificate::

     -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: 2.6.3a

     mQCNAzZ4N0EAAAEEAJpp8Hy0n2FBJqmrfX9dha1Ja/Uc7f63Afbv0SBTE4i+xeyg
     5O/4VWr11LlP1uAjM8Gvfw8neRMLhMUjvRaXPhRR9KoAaW84Bg0cBSyakY6j1JXz
     JcBVKGoGNgBo82cVM9bkE1/Qdy9v6pGDw3qhAqBNLDtYDUS8fgTPgU1RTFJ5AAUR
     iQCVAwUgN/p+yATPgU1RTFJ5AQGk3wP/YDsx7Wys/FSfBMpfQA+7IO5Ug2voBGDa
     hXHKIofT9H7/eYBr3Sctq+/eZAVwll1iS3dkzBIEuvbVlgVam/nvegfRrL2hKy7i
     ELespx5WEqfhnapawg/xpFRsPkYOq96IcoGSIQSwGCq4wqz/CwfG/tQx0eGP9k7j
     N176TIjYdzu0K0xpbnV4IEtlcm5lbCBBcmNoaXZlcyA8ZnRwYWRtaW5Aa2VybmVs
     Lm9yZz6JAJUDBRA2eFIpnE1kY6hrNcUBARi6BACbJhIzBynhTW75RUeOqGv097+c
     ybQZ5fysSf3zeAIxGSFlZcpruHpLylwRXumhiOjqWjKbEeN2r9MqcutIKUVt2lkP
     p2BsqKN7CzmSMWLO13DYr7cSufKqm6AOe0pTqJJKTI/yST7DpHkDsi+FYN7eZ79w
     xETITd0Z/7/dF1uwBIkAlQMFEDZ4S3QCetOcrPWlRQEBcwkEAJbhw4ggjcenRNNo
     357I8dzEHrIWIAhonjAnWddEwyGFUy1cmayNTO/PRXjubCEFuJttWZ50cKPpiwYr
     oxGOglUnX52aw7lZMIrQOTwe25VyrXIsSGDa3a+pyWHiWcRuAIAIP68rfFEYLhYf
     MMqBkh6f9QvipntvSYpuciS5xF9biQEVAwUQNnhHnTuFIe3ySu75AQH4NAf9GSYF
     T+rrPJhKHKnRT0qbnfwhgCGy6nQyjC1fEPLfnZnwoAvW1GO7JaXa516RbFkrrvHN
     vUeatXkRM3m94MSRdTfxabdgHlySbIkzGtCN0LaUI+it304UdheqP9cHbeQReMhf
     SmX0iEEbW+uUsfjv3+C2DiuHVb/xbql+Kacd+jf03OpRYRZg/lM7+WVJPhIg869Z
     WTeGc7THYVshQ8I/Ea9+O/PhqdZamHyG2bdpZVN24v6y/ULHrTTWZ4fUeybHNQzL
     bdJ2gpE58V+nbdcL7qkAU8fiHrTQwTWqp5tT1YBWUmFQKk/ETxQb1YEHnEIaPiKx
     p4FT/BTu0xj5D+72/4kAlQMFEDZ4N0EEz4FNUUxSeQEB6gQD/RqBgIU/BiVNUe/7
     iKOUxATGhetqm82FbOhSRuoeqZjL6NV+CfLzTzF17ngXPopQ4B7Nf0vKzEhkw6S4
     OqJ6PMOg/PG0dEbtTWFQL4BhUipkrCB+VfXnD8BbKz3cmUFgzTHdj/Rut3GTNjlL
     7gWZTFAiBtkNvSaeRl40S4+UG4ys
     =ejCq
     -----END PGP PUBLIC KEY BLOCK-----
	Linux kernel releases PGP signatures
	====================================

	:date: 2016-08-15
	:slug: signature
	:category: Signatures

	All kernel releases are cryptographically signed using OpenPGP-compliant
	signatures. Everyone is strongly encouraged to verify the integrity of
	downloaded kernel releases by verifying the corresponding signatures.

	**Linux kernel releases and all other files distributed via kernel.org
	mirrors are no longer signed by one centrally issued key. You will need
	to rely on the PGP Web of Trust in order to verify the authenticity of
	downloaded archives.**

	Basic concepts
	--------------
	Every kernel release comes with a cryptographic signature from the
	person making the release. This cryptographic signature allows anyone to
	verify whether the files have been modified or otherwise tampered with
	since the developer created and signed them. The signing and
	verification process uses public-key cryptography and it is next to
	impossible to forge a PGP signature without first gaining access to the
	developer's private key. If this does happen, the developers will revoke
	the compromised key and will re-sign all their previously signed
	releases with the new key.

	To learn more about the way PGP works, please consult Wikipedia_.

	.. _Wikipedia: https://en.wikipedia.org/wiki/Pretty_Good_Privacy#How_PGP_encryption_works

	Kernel.org web of trust
	-----------------------
	In order for this section to make sense, you should first familiarize
	yourself with the way PGP Web of Trust works. You can start by reading
	the `Wikipedia article`_ on the subject.

	In a few words, **PGP keys used by members of kernel.org are
	cross-signed by other members of kernel.org** (and, frequently, by many
	other people). If you wanted to verify the validity of any key
	belonging to a member of kernel.org, you could review the list of
	signatures on their public key and then make a decision whether you trust
	that key or not. This article from the GnuPG manual is a good first step
	towards understanding how you can use PGP trust relationships to
	validate keys: `Using trust to validate keys`_.

	In order to become part of the kernel.org web of trust, you should
	locate kernel.org members in your geographical area, then verify and
	cross-sign your keys. To locate members of kernel.org in your area, you
	can use the `Keysign Map`_ created for this purpose, or you may attend a
	`Linux kernel development conference`_ and join a key signing event.

	Once you have verified and signed a few keys, you can use the trust
	relationship established in the process to verify other keys used in the
	kernel.org web of trust.

	.. _`Wikipedia article`: https://en.wikipedia.org/wiki/Web_of_trust
	.. _`Using trust to validate keys`: https://www.gnupg.org/gph/en/manual.html#AEN385
	.. _`Keysign Map`: https://kernel.org/ksmap
	.. _`Linux kernel development conference`: http://events.linuxfoundation.org/

	Using GnuPG to verify kernel signatures
	---------------------------------------
	All software released via kernel.org has corresponding PGP signatures.
	It should not be possible to upload any files to the kernel.org mirrors
	without providing a trusted PGP signature to go along with them.

	To better illustrate the verification process, let's use Linux 4.6.6
	release as a walk-through example. First, use "``wget``" or "``curl
	-O``" to download the release and the corresponding signature::

	$ wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.xz
	$ wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.sign

	You will notice that the signature is made against the uncompressed
	version of the archive. This is done so there is only one signature
	required for .gz and .xz compressed versions of the release. Start
	by uncompressing the archive, using ``unxz`` in our case::

	$ unxz linux-4.6.6.tar.xz

	Now verify the .tar archive against the signature::

	$ gpg2 --verify linux-4.6.6.tar.sign

	You can combine these steps into a one-liner::

	$ xz -cd linux-4.6.6.tar.xz \| gpg2 --verify linux-4.6.6.tar.sign -

	The likely output will be::

	gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT using RSA key ID 38DBBDC86092693E
	gpg: Can't check signature: No public key

	You will need to first download the public key from the PGP keyserver in
	order to verify the signature. Look at the first line of the output and
	note the "key ID" listed, which in our example is ``38DBBDC86092693E``. Now
	download this key from the key servers::

	$ gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 38DBBDC86092693E
	gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" imported
	gpg: Total number processed: 1
	gpg: imported: 1

	Let's rerun "``gpg2 --verify``"::

	$ gpg2 --verify linux-4.6.6.tar.sign
	gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT using RSA key ID 38DBBDC86092693E
	gpg: Good signature from "Greg Kroah-Hartman
	(Linux kernel stable release signing key) <greg@kroah.com>"
	gpg: WARNING: This key is not certified with a trusted signature!
	gpg: There is no indication that the signature belongs to the owner.
	Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E

	Notice the **WARNING: This key is not certified with a trusted
	signature!** You will now need to verify that the key used to sign the
	archive really does belong to the owner (in our example, Greg
	Kroah-Hartman). There are several ways you can do this:

	1. Use the `Kernel.org web of trust`_. This will require that you first
	locate the members of kernel.org in your area and sign their keys.
	**Short of meeting the actual owner of the PGP key in real life, this
	is your best option to verify the validity of a PGP key signature.**
	2. Review the list of signatures on the developer's key by using "``gpg
	--list-sigs``". Email as many people who have signed the key as
	possible, preferably at different organizations (or at least
	different domains). Ask them to confirm that they have signed the key
	in question. You should attach at best marginal trust to the
	responses you receive in this manner (if you receive any).
	3. Use the following site to see trust paths from Linus Torvalds' key to
	the key used to sign the tarball: `pgp.cs.uu.nl`_. Put Linus's key
	into the "from" field and the key you got in the output above into
	the "to" field. Normally, only Linus or people with Linus's direct
	signature will be in charge of releasing kernels. Here's the example
	`from Linus Torvalds to Greg Kroah-Hartman`_.

	Here are key fingerprints for Linus Torvalds and Greg Kroah-Hartman, who
	are most likely to be releasing kernels:

	.. table::

	================== ======================================================
	Developer Fingerprint
	================== ======================================================
	Linus Torvalds ``ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886``
	Greg Kroah-Hartman ``647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E``
	================== ======================================================

	Please verify the TLS certificate for this site in your browser before
	trusting the above information.

	.. _`pgp.cs.uu.nl`: https://pgp.cs.uu.nl/mk_path.cgi?STAT=ABAF11C65A2970B130ABE3C479BE3E4300411886
	.. _`from Linus Torvalds to Greg Kroah-Hartman`: https://pgp.cs.uu.nl/mk_path.cgi?FROM=ABAF11C65A2970B130ABE3C479BE3E4300411886&TO=647F28654894E3BD457199BE38DBBDC86092693E&PATHS=trust+paths

	If you get "BAD signature"
	--------------------------
	If at any time you see "BAD signature" output from "``gpg --verify``",
	please first check the following first:

	1. **Make sure that you are verifying the signature against the .tar
	version of the archive, not the compressed (.tar.xz) version.**
	2. Make sure the the downloaded file is correct and not truncated or
	otherwise corrupted.

	If you repeatedly get the same "BAD signature" output, email
	ftpadmin@kernel.org immediately, so we can investigate the problem.

	Kernel.org checksum autosigner and sha256sums.asc
	-------------------------------------------------
	We have a dedicated off-the-network system that connects directly to our
	central attached storage and calculates checksums for all uploaded
	software releases. The generated ``sha256sums.asc`` file is then signed
	with a PGP key generated for this purpose and that doesn't exist outside
	of that system.

	These checksums are NOT intended to replace the web of trust. It is
	merely a way for someone to quickly verify whether contents on one of
	the many kernel.org mirrors match the contents on the master mirror.
	While you may use them to quickly verify whether what you have
	downloaded matches what we have on our central storage system, you
	should still use the GPG web of trust to verify whether the release
	tarball actually matches what the kernel developer published.

	Kernel releases prior to September, 2011
	----------------------------------------
	Prior to September, 2011 all kernel releases were signed automatically by
	the same PGP key::

	pub 1024D/517D0F0E 2000-10-10 [revoked: 2011-12-11]
	Key fingerprint = C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E
	uid Linux Kernel Archives Verification Key <ftpadmin@kernel.org>

	Due to the kernel.org systems compromise, this key has been retired and
	revoked. **It will no longer be used to sign future releases and you
	should NOT use this key to verify the integrity of any archives. It is
	almost certain that this key has fallen into malicious hands.**

	All kernel releases that were previously signed with this key were
	cross-checked and signed with another key, created specifically
	for this purpose::

	pub 3072R/C4790F9D 2013-08-08
	Key fingerprint = BFA7 DD3E 0D42 1C9D B6AB 6527 0D3B 3537 C479 0F9D
	uid Linux Kernel Archives Verification Key
	(One-off resigning of old releases) <ftpadmin@kernel.org>

	This key has been destroyed and will not be used to sign any new releases.

	Revocation certificates
	-----------------------
	The following revocation certificates have been issued for keys used in
	the past to sign kernel.org software releases:

	Key ID 0x517D0F0E
	~~~~~~~~~~~~~~~~~
	Key fingerprint::

	pub 1024D/517D0F0E 2000-10-10 [revoked: 2011-12-11]
	Key fingerprint = C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E
	uid Linux Kernel Archives Verification Key <ftpadmin@kernel.org>

	Revocation certificate::

	-----BEGIN PGP PUBLIC KEY BLOCK-----
	Version: GnuPG v1.4.11 (GNU/Linux)
	Comment: A revocation certificate should follow

	iIkEIBECAEkFAk7lL6xCHQJLZXkgd2FzIHVzZWQgdG8gYXV0b3NpZ25pbmc7IGF1
	dG9zaWduaW5nIHNlcnZlciB3YXMgY29tcHJvbWlzZWQuAAoJEMhroGpRfQ8OS7EA
	nikD5S7mmNM0QRX+H4BDxvdWzXWyAKCTuDGOdLoZs8gnl/G5UKVjX9mVkg==
	=eL49
	-----END PGP PUBLIC KEY BLOCK-----

	Key ID 0x1E1A8782
	~~~~~~~~~~~~~~~~~
	Key fingerprint::

	pub 1024D/1E1A8782 1999-10-05 [revoked: 2000-10-10]
	Key fingerprint = 9DB4 C3A4 EF2A 3111 9072 82F3 F2A5 75DC 1E1A 8782
	uid Linux Kernel Archives Verification Key <ftpadmin@kernel.org>

	Revocation certificate::

	-----BEGIN PGP PUBLIC KEY BLOCK-----
	Version: GnuPG v1.0.0 (GNU/Linux)
	Comment: For info see http://www.gnupg.org
	Comment: A revocation certificate should follow

	iEYEIBECAAYFAjnisTIACgkQ8qV13B4ah4K3DgCfShKQe2kfz68OKu0WwEzgKkAE
	vIQAn3Y8CTCRZ9QEIwsIs93F501VUtPs
	=l5FV
	-----END PGP PUBLIC KEY BLOCK-----

	Key ID 0x514C5279
	~~~~~~~~~~~~~~~~~
	Key fingerprint::

	pub 1024R/514C5279 1998-12-16 [revoked: 1999-10-05]
	Key fingerprint = 59 B1 5F 6F E3 13 4C 8B 33 E5 14 35 21 F1 D1 03
	uid Linux Kernel Archives <ftpadmin@kernel.org>

	Revocation certificate::

	-----BEGIN PGP PUBLIC KEY BLOCK-----
	Version: 2.6.3a

	mQCNAzZ4N0EAAAEEAJpp8Hy0n2FBJqmrfX9dha1Ja/Uc7f63Afbv0SBTE4i+xeyg
	5O/4VWr11LlP1uAjM8Gvfw8neRMLhMUjvRaXPhRR9KoAaW84Bg0cBSyakY6j1JXz
	JcBVKGoGNgBo82cVM9bkE1/Qdy9v6pGDw3qhAqBNLDtYDUS8fgTPgU1RTFJ5AAUR
	iQCVAwUgN/p+yATPgU1RTFJ5AQGk3wP/YDsx7Wys/FSfBMpfQA+7IO5Ug2voBGDa
	hXHKIofT9H7/eYBr3Sctq+/eZAVwll1iS3dkzBIEuvbVlgVam/nvegfRrL2hKy7i
	ELespx5WEqfhnapawg/xpFRsPkYOq96IcoGSIQSwGCq4wqz/CwfG/tQx0eGP9k7j
	N176TIjYdzu0K0xpbnV4IEtlcm5lbCBBcmNoaXZlcyA8ZnRwYWRtaW5Aa2VybmVs
	Lm9yZz6JAJUDBRA2eFIpnE1kY6hrNcUBARi6BACbJhIzBynhTW75RUeOqGv097+c
	ybQZ5fysSf3zeAIxGSFlZcpruHpLylwRXumhiOjqWjKbEeN2r9MqcutIKUVt2lkP
	p2BsqKN7CzmSMWLO13DYr7cSufKqm6AOe0pTqJJKTI/yST7DpHkDsi+FYN7eZ79w
	xETITd0Z/7/dF1uwBIkAlQMFEDZ4S3QCetOcrPWlRQEBcwkEAJbhw4ggjcenRNNo
	357I8dzEHrIWIAhonjAnWddEwyGFUy1cmayNTO/PRXjubCEFuJttWZ50cKPpiwYr
	oxGOglUnX52aw7lZMIrQOTwe25VyrXIsSGDa3a+pyWHiWcRuAIAIP68rfFEYLhYf
	MMqBkh6f9QvipntvSYpuciS5xF9biQEVAwUQNnhHnTuFIe3ySu75AQH4NAf9GSYF
	T+rrPJhKHKnRT0qbnfwhgCGy6nQyjC1fEPLfnZnwoAvW1GO7JaXa516RbFkrrvHN
	vUeatXkRM3m94MSRdTfxabdgHlySbIkzGtCN0LaUI+it304UdheqP9cHbeQReMhf
	SmX0iEEbW+uUsfjv3+C2DiuHVb/xbql+Kacd+jf03OpRYRZg/lM7+WVJPhIg869Z
	WTeGc7THYVshQ8I/Ea9+O/PhqdZamHyG2bdpZVN24v6y/ULHrTTWZ4fUeybHNQzL
	bdJ2gpE58V+nbdcL7qkAU8fiHrTQwTWqp5tT1YBWUmFQKk/ETxQb1YEHnEIaPiKx
	p4FT/BTu0xj5D+72/4kAlQMFEDZ4N0EEz4FNUUxSeQEB6gQD/RqBgIU/BiVNUe/7
	iKOUxATGhetqm82FbOhSRuoeqZjL6NV+CfLzTzF17ngXPopQ4B7Nf0vKzEhkw6S4
	OqJ6PMOg/PG0dEbtTWFQL4BhUipkrCB+VfXnD8BbKz3cmUFgzTHdj/Rut3GTNjlL
	7gWZTFAiBtkNvSaeRl40S4+UG4ys
	=ejCq
	-----END PGP PUBLIC KEY BLOCK-----