ReleaseKey » History » Revision 27

« Previous | Revision 27/29 (diff) | Next »
Denis 'GNUtoo' Carikli, 11/06/2021 03:15 AM
Add Parabola method for the chain of trust

Release keys

Which key for which Replicant version?

From Replicant 6.0 0004 RC1 up to the Current Release

Key ID: FB31DBA3AB8DB76A4157329F7651568F80374459

These images are signed with Denis 'GNUtoo' Carikli's key and has the following fingerprint:

FB31 DBA3 AB8D B76A 4157  329F 7651 568F 8037 4459

Retrieving the FB31DBA3AB8DB76A4157329F7651568F80374459 key

The FB31DBA3AB8DB76A4157329F7651568F80374459 can be downloaded form

It can then be imported with the following command (it needs to be run in the directory where FB31DBA3AB8DB76A4157329F7651568F80374459.key has been downloaded):

gpg --import FB31DBA3AB8DB76A4157329F7651568F80374459.key

Alternatively this key is also available in several key servers and it's also part of several Replicant releases, so the other methods mentioned below in Retrieving the Replicant release key can also work.

Establishing a chain of trust for the FB31DBA3AB8DB76A4157329F7651568F80374459 key

Besides the methods documented below in Establishing a chain of trust, you can also get the key ID from Parabola's hackers repository at .

Up to Replicant 6.0 0003

Key ID: 5816A24C10757FC4

These images are signed with Wolfgang Wiedmeyer's key and has the following fingerprint:

0F30 D1A0 2F73 F70A 6FEE  048E 5816 A24C 1075 7FC4

Replicant 4.2 and below

Key ID: 16D1FEEE4A80EB23

These images are signed with the Replicant release key which expires 2024-01-17 and has the following fingerprint:

E776 092B 052A DC91 FDD1 FD80 16D1 FEEE 4A80 EB23

Retrieving the Replicant release key

In the following, KEY_ID needs to be replaced with the right key ID from above.

From a key server (recommended)

You can retrieve our signing key from a public key server and import it to your GPG keyring using:

gpg --recv-key KEY_ID

It sometimes is the case that certain keyservers have updated GPG keys while other keyservers have expired GPG keys or don't have them at all. In this situation, an alternate keyserver can be specified by adding a keyserver flag to the command:

gpg --keyserver KEYSERVER_ID --recv-key KEY_ID

For example, to get Denis 'GNUtoo' Carikli's up to date public GPG key, you can use a command such as this:

gpg --keyserver --recv-key FB31DBA3AB8DB76A4157329F7651568F80374459

Errors may occur if GPG is not properly configured. Following a guide like this should ensure that the key is retrieved securely.

From our releases

A copy of our signing key is shipped with every Replicant release, distributed with Replicant images.
Once downloaded, the key can be imported to your GPG keyring using:

gpg  --armor --import path/to/KEY.asc

Establishing a chain of trust

In order to establish a chain of trust, you are encouraged to retrieve our release key physically when meeting a trusted Replicant developer and sign it with your own key.

You can see the signatures the release key is already signed with running:

gpg --list-sigs KEY_ID

If a key you already trust is among these signatures, a chain of trust is established between your key and the release key. However, this chain of trust is not as strong as the direct one you establish when you personally verify and sign the release key.

Updated by Denis 'GNUtoo' Carikli almost 2 years ago · 27 revisions locked

Also available in: PDF HTML TXT