Project

General

Profile

ReleaseKey » History » Version 29

Denis 'GNUtoo' Carikli, 04/20/2023 12:05 AM
update gpg key server. Thanks to Fill lupin for the telling me about it.

1 16 dl lud
h1. Release keys
2 1 Paul Kocialkowski
3 24 Denis 'GNUtoo' Carikli
{{toc}}
4
5 14 Wolfgang Wiedmeyer
h2. Which key for which Replicant version?
6
7 23 Kurtis Hanna
h3. From Replicant 6.0 0004 RC1 up to the Current Release
8 19 Denis 'GNUtoo' Carikli
9
Key ID: FB31DBA3AB8DB76A4157329F7651568F80374459
10
11
These images are signed with [[People#Denis-GNUtoo-Carikli|Denis 'GNUtoo' Carikli]]'s key and has the following fingerprint:
12
<pre>
13
FB31 DBA3 AB8D B76A 4157  329F 7651 568F 8037 4459
14
</pre>
15
16 25 Denis 'GNUtoo' Carikli
h4. Retrieving the FB31DBA3AB8DB76A4157329F7651568F80374459 key
17
18 28 Denis 'GNUtoo' Carikli
The FB31DBA3AB8DB76A4157329F7651568F80374459 can be downloaded form "https://ftp2.osuosl.org/pub/replicant/people/GNUtoo/FB31DBA3AB8DB76A4157329F7651568F80374459.key":https://ftp2.osuosl.org/pub/replicant/people/GNUtoo/FB31DBA3AB8DB76A4157329F7651568F80374459.key
19 25 Denis 'GNUtoo' Carikli
20
It can then be imported with the following command (it needs to be run in the directory where FB31DBA3AB8DB76A4157329F7651568F80374459.key has been downloaded):
21
<pre>
22
gpg --import FB31DBA3AB8DB76A4157329F7651568F80374459.key
23
</pre>
24
25 26 Denis 'GNUtoo' Carikli
Alternatively this key is also available in several key servers and it's also part of several Replicant releases, so the other methods mentioned below in   [[ReleaseKey#Retrieving-the-Replicant-release-key|Retrieving the Replicant release key]] can also work.
26 25 Denis 'GNUtoo' Carikli
27 27 Denis 'GNUtoo' Carikli
h4. Establishing a chain of trust for the FB31DBA3AB8DB76A4157329F7651568F80374459 key
28
29
Besides the methods documented below in [[ReleaseKey#Establishing-a-chain-of-trust|Establishing a chain of trust]], you can also get the key ID from Parabola's hackers repository at "https://git.parabola.nu/hackers.git/tree/users/1042.yml":https://git.parabola.nu/hackers.git/tree/users/1042.yml .
30
31 18 Denis 'GNUtoo' Carikli
h3. Up to Replicant 6.0 0003
32 14 Wolfgang Wiedmeyer
33
Key ID: 5816A24C10757FC4
34
35 17 Denis 'GNUtoo' Carikli
These images are signed with [[People#Wolfgang-Wiedmeyer|Wolfgang Wiedmeyer]]'s key and has the following fingerprint:
36 1 Paul Kocialkowski
<pre>
37 14 Wolfgang Wiedmeyer
0F30 D1A0 2F73 F70A 6FEE  048E 5816 A24C 1075 7FC4
38
</pre>
39
40
h3. Replicant 4.2 and below
41
42
Key ID: 16D1FEEE4A80EB23
43
44
These images are signed with the Replicant release key which expires 2024-01-17 and has the following fingerprint:
45
<pre>
46 1 Paul Kocialkowski
E776 092B 052A DC91 FDD1 FD80 16D1 FEEE 4A80 EB23
47
</pre>
48
49 13 Wolfgang Wiedmeyer
h2. Retrieving the Replicant release key
50 1 Paul Kocialkowski
51 14 Wolfgang Wiedmeyer
In the following, @KEY_ID@ needs to be replaced with the right key ID from above.
52
53 5 Paul Kocialkowski
h3. From a key server (recommended)
54 12 Wolfgang Wiedmeyer
55 9 Loic Dachary
You can retrieve our signing key from a public key server and import it to your GPG keyring using:
56 1 Paul Kocialkowski
57 10 Wolfgang Wiedmeyer
<pre>
58 14 Wolfgang Wiedmeyer
gpg --recv-key KEY_ID
59 13 Wolfgang Wiedmeyer
</pre>
60 1 Paul Kocialkowski
61 21 Kurtis Hanna
It sometimes is the case that certain keyservers have updated GPG keys while other keyservers have expired GPG keys or don't have them at all. In this situation, an alternate keyserver can be specified by adding a keyserver flag to the command:
62 20 Kurtis Hanna
63
<pre>
64
gpg --keyserver KEYSERVER_ID --recv-key KEY_ID
65
</pre>
66
67 22 Kurtis Hanna
For example, to get [[People#Denis-GNUtoo-Carikli|Denis 'GNUtoo' Carikli]]'s up to date public GPG key, you can use a command such as this:
68
69
<pre>
70 29 Denis 'GNUtoo' Carikli
gpg --keyserver hkps://keyserver.ubuntu.com --recv-key FB31DBA3AB8DB76A4157329F7651568F80374459
71 22 Kurtis Hanna
</pre>
72
73 1 Paul Kocialkowski
Errors may occur if GPG is not properly configured. Following a guide like "this":https://riseup.net/en/security/message-security/openpgp/best-practices should ensure that the key is retrieved securely.
74
75 8 Paul Kocialkowski
h3. From our releases
76 1 Paul Kocialkowski
77
A copy of our signing key is shipped with every Replicant release, distributed with [[ReplicantImages|Replicant images]].
78
Once downloaded, the key can be imported to your GPG keyring using:
79 6 Paul Kocialkowski
<pre>
80 14 Wolfgang Wiedmeyer
gpg  --armor --import path/to/KEY.asc
81 1 Paul Kocialkowski
</pre>
82
83
h2. Establishing a chain of trust
84
85 11 Wolfgang Wiedmeyer
In order to establish a chain of trust, you are encouraged to retrieve our release key physically when meeting a trusted [[People|Replicant developer]] and sign it with your own key.
86 1 Paul Kocialkowski
87 11 Wolfgang Wiedmeyer
You can see the signatures the release key is already signed with running:
88
89 14 Wolfgang Wiedmeyer
<pre>
90 11 Wolfgang Wiedmeyer
gpg --list-sigs KEY_ID
91
</pre>
92 1 Paul Kocialkowski
93 20 Kurtis Hanna
If a key you already trust is among these signatures, a chain of trust is established between your key and the release key. However, this chain of trust is not as strong as the direct one you establish when you personally verify and sign the release key.