keyring.debian.org

Debian Public Key Server

This public key server provides simple HKP lookup and add requests for Debian developer and maintainer public keys.

The server may be accessed with gpg by using the --keyserver option in combination with either of the --recv-keys or --send-keys actions.

Please note that this server is meant only for basic key retreive/update operation, and does not implement search functionality. To search for a specific Debian Developer, use the Developer LDAP Search interface.

Only keys in the Debian keyrings (ie those for DDs and DMs) will be returned by this server and only pre-existing keys will be updated, although a copy of all updates will be forwarded to the keyserver network.

You can use the keyring server for the following purposes:

Fetch a key

Once you know the key's ID, just ask the server for it:

$ gpg --keyserver keyring.debian.org --recv-keys 0x673A03E4C1DB921F

Debian keys may also be retrieved by using the form at db.debian.org or:

finger user@db.debian.org

Update your key expiry

Update your expiry locally first; you can follow this tutorial if you need. Then, just send your updated key:

$ gpg --keyserver keyring.debian.org --send-keys 0x673A03E4C1DB921F
gpg: sending key 0x673A03E4C1DB921F to hkp server keyring.debian.org

We will include your changed key in our next keyring push (which happens approx. monthly).

Sign somebody's key

Please don't sign other person's key and upload to a keyring server!
We recommend you to follow a protocol that ensures the other person has actual control of the e-mail addresses listed in their key. The most common tools used in Debian to do this is caff, in the signing-party package.

Add new signatures to your key

Receive and add the signatures to your local key, and just push it to our server:

$ gpg --keyserver keyring.debian.org --send-keys 0x673A03E4C1DB921F
gpg: sending key 0x673A03E4C1DB921F to hkp server keyring.debian.org
	

New signatures will be included in our next keyring push (which happens approx. monthly)

Replace your key

To replace an existing key or remove a key from the Debian keyring file an RT request by sending email to keyring@rt.debian.org with the words 'Debian RT' somewhere in the subject line (case doesn't matter, and please remember to include something descriptive as well). Unfortunately RT mangles PGP/MIME so you need to put any signatures inline (more information regarding inline-signing). If you are replacing a key with an entirely new key (rather than just updating the expiry or subkeys) you should read the rules for key replacement in the Debian keyring. New keys should be larger than 1024 bits and capable of hashes stronger than SHA1; see the GnuPG key creation guide.

Revoke a key

If you have any reason to believe your key has been compromised, or there is any strong reason for you stop trusting your key, do upload your revocation certificate right away to the keyserver, and file an RT request as described above. We will act as quickly as possible.

Retire from Debian

As described in the Debian Developers' Reference, in order to properly retire from Debian, you should:

1. Orphan all your packages.
2. Send an gpg-signed email announcing your retirement to .
3. Notify the Debian key ring maintainers that you are leaving by opening a ticket in Debian RT by sending a mail to with the words 'Debian RT' somewhere in the subject line (case doesn't matter).
4. If you received mails via a @debian.org e-mail alias (e.g. press@debian.org) and would like to get removed, open a RT ticket for the Debian System Administrators. Just send an e-mail to with "Debian RT" somewhere in the subject stating from which aliases you'd like to get removed.

To update a key that is already present in the keyring (say, for updating the expiry date, adding identities/subkeys, or uploading more signatures), just send it via HKP (ie with --send-keys under gpg). Note that we will not automatically import any information from the keyserver network.

Updated keys sent via HKP will be folded into the active Debian keyring at least once a month.

This server also provides the full keyring via anonymous rsync in the 'keyrings' module, e.g.:

rsync -az --progress keyring.debian.org::keyrings/keyrings/ .

Note that updates through this server will not be immediately reflected in the keys returned by those mechanisms.

The Debian keyring is maintained in a Git repository, which can be viewed or cloned at:

https://anonscm.debian.org/git/keyring/keyring.git/

See the www.debian.org for more information about the Debian Project.

keyring.debian.org only deals with keys for Debian project Member. Please do not send add requests for your key if you are not an existing DD or DM; the Debian Account Managers will submit the key add request for new members when they successfully complete the New Member process.