The debops-keyring contains OpenPGP/GnuPG keys used by the DebOps Developers and
DebOps Contributors.
These keys can be used to authenticate and verify the git commits and tags
in main repositories of the DebOps Project.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, [RFC2119].
The DebOps Project is designed to be used in production environment, therefore
some kind of a verifiable trust path is REQUIRED to ensure that the code used to
execute commands can be trusted. Because DebOps Project is developed in an
environment not exclusively controlled by its Developers (GitHub), additional
verification of authenticity provided by commits and tags signed by trusted OpenPGP
keys is beneficial to the DebOps Project and its users, regardless of whether
signing each git commit is sensible or not.
See also:
The repository was initialized and signed by Maciej Delmanowski on his own private computer and uploaded to the GitHub repository using the SSH protocol. It can be found at the following URL:
https://github.com/debops/debops-keyring
The repository layout is modeled after the debian-keyring.
debops-keyring-gpg/- This directory contains OpenPGP keys currently used by people working on DebOps.
keyids- This file contains a canonical mapping between OpenPGP keys and the user names of their owners used within the DebOps Project.
roles/leader- This file defines who the current DebOps Project Leader is.
roles/admins- This file lists the DebOps Project Admins.
roles/developers- This file lists all DebOps Developers.
roles/contributors- This file lists all DebOps Contributors.
roles/bots- This file lists all DebOps Bots.
Before the verification can be performed correctly, you need to import the OpenPGP keys to your GnuPG keyring. To do that, you should clone this repository to a directory on your computer, for example with a command:
git clone https://github.com/debops/debops-keyring ~/src/github.com/debops/debops-keyringAfter that, you should import the provided keys to your OpenPGP keyring:
gpg --import ~/src/github.com/debops/debops-keyring/debops-keyring-gpg/0x*To verify OpenPGP signatures on commits in a git repository, you can use the
command:
git log --show-signatureTo verify OpenPGP signature on a tag in a git repository, you can use the
command:
git tag --verify <tag-id>When you feel associated with the DebOps Project and have made at least one contribution to the Project you are free to add your OpenPGP public key to this repository.
Printing Long Key IDs:
gpg --keyid-format long --list-keysTo do so you should add your OpenPGP public key(s) to debops-keyring-gpg/
using:
gpg -a --export <long_key_ID> > <long_key_ID>Additionally, it is REQUIRED that you upload your public key(s) to sks-keyservers.net or another OpenPGP keyserver pools which sync with sks-keyservers.net. This is also the place where changes (subkeys actively used for signing or encryption, and key expiration) to your key(s) MUST be uploaded to. Key signatures SHOULD be uploaded there as well.
And then specify the key ID to person mapping in the keyids file.
Note that you SHOULD be reasonably confident that "no one has ever had a copy of your private key"[1]. Otherwise you could easily be impersonated. Refer to OpenPGP Best Practices for more details.
Then add yourself to the corresponding file, either roles/contributors or
roles/developers (if the requirements from the Becoming a DebOps Developer
section are met).
The commit that you make to add or change these files MUST be signed by your most trusted OpenPGP signing (sub)key (Root of Trust – in case you have multiple which (cross) sign each other) to prove that you have control over this identity.
To prove that you have full control over your account on the source code management platform used to work on the DebOps Project (currently GitHub) it is RECOMMENDED for the DebOps Contributors and REQUIRED for the DebOps Developers to provide a proof via the means of https://keybase.io/.
Additionally, it is RECOMMENDED to take part in the Web Of Trust to make it harder for an adversary to fake signatures by pretending to be one of the DebOps Contributors or Developers. In particular as the DebOps Project is related to the Debian Project it is RECOMMENDED to get your key signed by at least one Debian Developer. A signature from another DebOps Developer is sufficient as well.
RECOMMENDED, source https://bettercrypto.org/:
For asymmetric public-key cryptography we consider any key length below 3248 bits to be deprecated at the time of this writing (for long term protection).
2048 bits (assuming RSA) is the absolut minimum key size which MUST be met (enforced by CI tests).
| [1] | https://www.wired.com/2014/10/snowdens-first-emails-to-poitras/ |
The policy for this procedure is not yet fixed. A starting point could be Rules for key replacement in the Debian keyring.
To become a DebOps Developer, you SHOULD have contribution to the DebOps Project for a while (say 6 months) and know a thing or two how the Project works.
To make this official, all you need to do is follow the Adding your OpenPGP public
key section and then add yourself to the roles/developers file.