{"id":28583678,"url":"https://github.com/debops/debops-keyring","last_synced_at":"2026-01-31T16:34:17.111Z","repository":{"id":78657796,"uuid":"62994571","full_name":"debops/debops-keyring","owner":"debops","description":"Repository with OpenPGP keys of the DebOps People","archived":false,"fork":false,"pushed_at":"2017-06-20T19:14:50.000Z","size":163,"stargazers_count":2,"open_issues_count":2,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-06-11T05:11:22.543Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/debops.png","metadata":{"files":{"readme":"README.rst","changelog":"CHANGES.rst","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-07-10T11:01:42.000Z","updated_at":"2017-02-10T13:19:37.000Z","dependencies_parsed_at":null,"dependency_job_id":"83ac1d6a-bcf0-46e2-bcfd-5872b55362a4","html_url":"https://github.com/debops/debops-keyring","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/debops/debops-keyring","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debops%2Fdebops-keyring","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debops%2Fdebops-keyring/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debops%2Fdebops-keyring/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debops%2Fdebops-keyring/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/debops","download_url":"https://codeload.github.com/debops/debops-keyring/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debops%2Fdebops-keyring/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28947666,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-31T14:26:55.697Z","status":"ssl_error","status_checked_at":"2026-01-31T14:26:52.545Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-11T05:10:13.144Z","updated_at":"2026-01-31T16:34:17.100Z","avatar_url":"https://github.com/debops.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"debops-keyring\n==============\n\nThe debops-keyring_ contains OpenPGP/GnuPG keys used by the DebOps Developers and\nDebOps Contributors.\nThese keys can be used to authenticate and verify the ``git`` commits and tags\nin main repositories of the DebOps Project.\n\n.. contents::\n   :local:\n   :depth: 1\n\nTerminology\n-----------\n\nThe key words \"MUST\", \"MUST NOT\", \"REQUIRED\", \"SHALL\", \"SHALL NOT\",\n\"SHOULD\", \"SHOULD NOT\", \"RECOMMENDED\", \"MAY\", and \"OPTIONAL\" in this\ndocument are to be interpreted as described in BCP 14, [`RFC2119`_].\n\nWhy OpenPGP keys are used to sign code in the DebOps Project\n------------------------------------------------------------\n\nThe DebOps Project is designed to be used in production environment, therefore\nsome kind of a verifiable trust path is REQUIRED to ensure that the code used to\nexecute commands can be trusted. Because DebOps Project is developed in an\nenvironment not exclusively controlled by its Developers (GitHub), additional\nverification of authenticity provided by commits and tags signed by trusted OpenPGP\nkeys is beneficial to the DebOps Project and its users, regardless of whether\nsigning each ``git`` commit is sensible or not.\n\nSee also:\n\n- `DebOps Code Signing Policy`_\n\nCanonical source of the debops-keyring repository\n-------------------------------------------------\n\nThe repository was initialized and signed by Maciej Delmanowski on his own\nprivate computer and uploaded to the GitHub repository using the SSH protocol.\nIt can be found at the following URL:\n\n    https://github.com/debops/debops-keyring\n\nRepository contents\n-------------------\n\nThe repository layout is modeled after the `debian-keyring \u003chttps://anonscm.debian.org/git/keyring/keyring.git/tree/\u003e`_.\n\n``debops-keyring-gpg/``\n  This directory contains OpenPGP keys currently used by people working\n  on DebOps.\n\n``keyids``\n  This file contains a canonical mapping between OpenPGP keys and the user names of\n  their owners used within the DebOps Project.\n\n``roles/leader``\n  This file defines who the current DebOps Project Leader is.\n\n``roles/admins``\n  This file lists the DebOps Project Admins.\n\n``roles/developers``\n  This file lists all DebOps Developers.\n\n``roles/contributors``\n  This file lists all DebOps Contributors.\n\n``roles/bots``\n  This file lists all DebOps Bots.\n\nCommit and tag verification\n---------------------------\n\nBefore the verification can be performed correctly, you need to import the OpenPGP\nkeys to your GnuPG keyring. To do that, you should clone this repository to\na directory on your computer, for example with a command:\n\n.. code-block:: console\n\n   git clone https://github.com/debops/debops-keyring ~/src/github.com/debops/debops-keyring\n\nAfter that, you should import the provided keys to your OpenPGP keyring:\n\n.. code-block:: console\n\n   gpg --import ~/src/github.com/debops/debops-keyring/debops-keyring-gpg/0x*\n\nTo verify OpenPGP signatures on commits in a ``git`` repository, you can use the\ncommand:\n\n.. code-block:: console\n\n   git log --show-signature\n\nTo verify OpenPGP signature on a tag in a ``git`` repository, you can use the\ncommand:\n\n.. code-block:: console\n\n   git tag --verify \u003ctag-id\u003e\n\nAdding your OpenPGP public key\n------------------------------\n\nWhen you feel associated with the DebOps Project and have made at least one\ncontribution to the Project you are free to add your OpenPGP public key to this\nrepository.\n\nPrinting Long Key IDs:\n\n.. code-block:: console\n\n   gpg --keyid-format long --list-keys\n\nTo do so you should add your OpenPGP public key(s) to ``debops-keyring-gpg/``\nusing:\n\n.. code-block:: console\n\n   gpg -a --export \u003clong_key_ID\u003e \u003e \u003clong_key_ID\u003e\n\nAdditionally, it is REQUIRED that you upload your public key(s) to\n`sks-keyservers.net`_ or another OpenPGP keyserver pools which sync with\n`sks-keyservers.net`_. This is also the place where changes (subkeys actively\nused for signing or encryption, and key expiration) to your key(s) MUST be\nuploaded to.  Key signatures SHOULD be uploaded there as well.\n\nAnd then specify the key ID to person mapping in the ``keyids`` file.\n\nNote that you SHOULD be reasonably confident that \"no\none has ever had a copy of your private key\"[#opsec-snowden-quote]_.\nOtherwise you could easily be impersonated.\nRefer to `OpenPGP Best Practices`_ for more details.\n\n\nThen add yourself to the corresponding file, either ``roles/contributors`` or\n``roles/developers`` (if the requirements from the `Becoming a DebOps Developer`_\nsection are met).\n\nThe commit that you make to add or change these files MUST be signed by your\nmost trusted OpenPGP signing (sub)key (Root of Trust – in case you have\nmultiple which (cross) sign each other) to prove that you have control over this\nidentity.\n\nTo prove that you have full control over your account on the source code\nmanagement platform used to work on the DebOps Project (currently GitHub) it is\nRECOMMENDED for the DebOps Contributors and REQUIRED for the DebOps Developers\nto provide a proof via the means of https://keybase.io/.\n\nAdditionally, it is RECOMMENDED to take part in the Web Of Trust to make it\nharder for an adversary to fake signatures by pretending to be one of the\nDebOps Contributors or Developers. In particular as the DebOps Project is\nrelated to the Debian Project it is RECOMMENDED to get your key signed by at\nleast one Debian Developer.  A signature from another DebOps Developer is\nsufficient as well.\n\nRECOMMENDED, source https://bettercrypto.org/:\n\n  For asymmetric public-key cryptography we consider any key length below 3248 bits to be\n  deprecated at the time of this writing (for long term protection).\n\n2048 bits (assuming RSA) is the absolut minimum key size which MUST be met (enforced by CI tests).\n\n.. [#opsec-snowden-quote] https://www.wired.com/2014/10/snowdens-first-emails-to-poitras/\n\nChanging your OpenPGP public key\n--------------------------------\n\nThe policy for this procedure is not yet fixed. A starting point could be\n`Rules for key replacement in the Debian keyring`_.\n\nBecoming a DebOps Developer\n---------------------------\n\nTo become a DebOps Developer, you SHOULD have contribution to the DebOps\nProject for a while (say 6 months) and know a thing or two how the Project\nworks.\n\nTo make this official, all you need to do is follow the `Adding your OpenPGP public\nkey`_ section and then add yourself to the ``roles/developers`` file.\n\n.. The file needs to be self contained e. g. no includes. Thus the needed\n   entries from https://github.com/debops/docs/blob/master/docs/includes/global.rst\n   are inlined here:\n.. _debops-keyring: https://github.com/debops/debops-keyring\n.. _DebOps Code Signing Policy: http://docs.debops.org/en/latest/debops-policy/docs/code-signing-policy.html\n.. _Rules for key replacement in the Debian keyring: https://keyring.debian.org/replacing_keys.html\n.. _sks-keyservers.net: https://sks-keyservers.net/status/\n.. _OpenPGP Best Practices: https://help.riseup.net/en/security/message-security/openpgp/best-practices\n.. _RFC2119: https://tools.ietf.org/html/rfc2119\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdebops%2Fdebops-keyring","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdebops%2Fdebops-keyring","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdebops%2Fdebops-keyring/lists"}