Project

General

Profile

ReleaseKey » History » Version 13

Wolfgang Wiedmeyer, 03/06/2017 03:13 PM
recommend retrieving the key from a key server and link to the riseup.net "OpenPGP Best Practices" guide for instructions

1 7 Paul Kocialkowski
h1. Replicant release key
2 1 Paul Kocialkowski
3
The current Replicant release key expires: 2024-01-17 and has fingerprint:
4
<pre>
5 5 Paul Kocialkowski
E776 092B 052A DC91 FDD1 FD80 16D1 FEEE 4A80 EB23
6 1 Paul Kocialkowski
</pre>
7
8
h2. Retrieving the Replicant release key
9
10 13 Wolfgang Wiedmeyer
h3. From a key server (recommended)
11 1 Paul Kocialkowski
12 5 Paul Kocialkowski
You can retrieve our signing key from a public key server and import it to your GPG keyring using:
13 12 Wolfgang Wiedmeyer
14 9 Loic Dachary
<pre>
15 10 Wolfgang Wiedmeyer
gpg --recv-key 16D1FEEE4A80EB23
16 1 Paul Kocialkowski
</pre>
17 13 Wolfgang Wiedmeyer
18
Errors may occur if GPG is not properly configured. Following a guide like "this":https://riseup.net/en/security/message-security/openpgp/best-practices should ensure that the key is retrieved securely.
19 1 Paul Kocialkowski
20
h3. From our releases
21
22 8 Paul Kocialkowski
A copy of our signing key is shipped with every Replicant release, distributed with [[ReplicantImages|Replicant images]].
23 1 Paul Kocialkowski
Once downloaded, the key can be imported to your GPG keyring using:
24
<pre>
25 6 Paul Kocialkowski
gpg  --armor --import path/to/4A80EB23.asc
26 1 Paul Kocialkowski
</pre>
27
28
h2. Establishing a chain of trust
29
30
In order to establish a chain of trust, you are encouraged to retrieve our release key physically when meeting a trusted [[People|Replicant developer]] and sign it with your own key.
31 11 Wolfgang Wiedmeyer
32
You can see the signatures the release key is already signed with running:
33
34
<pre>
35
gpg --list-sigs 16D1FEEE4A80EB23
36
</pre>
37
38
If a key you already trust is among these signatures, a chain of trust is established between your key and the release key. However, this chain of trust is not as strong as the direct one you establish when you personally verify and sign the release key.