PGP Keys Used In The Project

The PGP/GnuPG key used for signing Git tags and reporting security bugs in an encrypted way is the key 0x2517B724C5F6CA9953296E612FF9CD59612616B5 (or its most recent subkey).

Retrieving the Key on a Debian Installation

This key is included in Debian’s official keyring, i.e. in available in the file /usr/share/keyrings/debian-keyring.gpg of the Debian package debian-keyring (Version 2015.01.26 or higher, i.e. the versions available on Debian 8 “Jessie” and newer). On any Debian installation (Release 9 “Jessie” or newer), you can retrieve that key as follows:

  • apt install debian-keyring (as root)
  • gpg --keyring /usr/share/keyrings/debian-keyring.gpg --export -a 0x2517B724C5F6CA9953296E612FF9CD59612616B5

You also might want to verify the signatures:

  • gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-sigs 0x2517B724C5F6CA9953296E612FF9CD59612616B5

But having fetched it via apt, it’s indirectly signed by the very same PGP keys which also verify all retrieved packages before installation.

Retrieving the Key from Debian Servers via HTTPS

If you trust the SSL certificates used on Debian’s web servers, you can also download this key directly from debian-keyring‘s official Git repository over HTTPS (hosted on an official Debian-maintained .debian.org server) or download this key from the latest debian-keyring package over HTTPS from sources.debian.net. (Please note that while the .debian.net is operated by the Debian Project, the individual hosts are usually not operated by the Debian Project but by a Debian Member or Contributor.)