Project

General

Profile

Actions

ReleaseKey » History » Revision 11

« Previous | Revision 11/29 (diff) | Next »
Wolfgang Wiedmeyer, 03/06/2017 01:39 PM
add note about listing the key signatures and establishing a chain of trust using existing signatures


Replicant release key

The current Replicant release key expires: 2024-01-17 and has fingerprint:

E776 092B 052A DC91 FDD1 FD80 16D1 FEEE 4A80 EB23

Retrieving the Replicant release key

From a key server

You can retrieve our signing key from a public key server and import it to your GPG keyring using:

gpg --recv-key 16D1FEEE4A80EB23

or
gpg --recv-key 16D1FEEE4A80EB23

From our releases

A copy of our signing key is shipped with every Replicant release, distributed with Replicant images.
Once downloaded, the key can be imported to your GPG keyring using:

gpg  --armor --import path/to/4A80EB23.asc

Establishing a chain of trust

In order to establish a chain of trust, you are encouraged to retrieve our release key physically when meeting a trusted Replicant developer and sign it with your own key.

You can see the signatures the release key is already signed with running:

gpg --list-sigs 16D1FEEE4A80EB23

If a key you already trust is among these signatures, a chain of trust is established between your key and the release key. However, this chain of trust is not as strong as the direct one you establish when you personally verify and sign the release key.

Updated by Wolfgang Wiedmeyer about 7 years ago · 11 revisions locked

Also available in: PDF HTML TXT