Versions Compared

Old Version 3

changes.mady.by.user Ben Pennell

Saved on

compared with

New Version Current

changes.mady.by.user Jared Whiklo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

2. Publish Your Public Key

To enable people and Sonatype to find your public key, you should must publish it to a well-known keyserver.  This is a simple command with gpg:

Code Block
gpg --send-key [yourKeyID]

...

Due to the deprecation of the majority of SKS keyservers in 2019 we now have the options of:

  • keys.openpgp.org (Hagrid)
  • keyserver.ubuntu.com (hockeypuck)
  • pgp.mit.edu (SKS)


Info

In the efforts to reduce the publication of private information the Hagrid server will not reveal or allow searching with the email address a key is tied to without explicit approval. Because keyservers no longer store and distribute third-party signatures (those adding via signing someone's key) the "Web of trust" is harder to track. Therefore it is not necessary to reveal your email address when publishing your key unless you really want to.


Tip

For the below commands, yourKeyID is the last 8 digits of your public key fingerprint.

...

This will upload your public key to a well-known keyserver, which will then trigger other connected keyservers to get a copy.  Afterward, you can verify the general availability of your public key by searching for your name in one of the keyservers in the SKS network.

3. Publish Your Key Fingerprint

Add your fingerprint to the Fedora Committers page.

4. Sign Others Committers' Keys

For each fingerprint on the Fedora Committers page:

Download the key via:

Code Block
gpg --recv-keys [fingerprint]

Sign it via:

Code Block
gpg -u [yourKeyID] --sign-key [fingerprint]

Fingerprints may be used instead of key IDs. To find your fingerprint use the command

Code Block
gpg -K



Div
styleborder: 1px solid black; padding: 0.4em;

keys.openpgp.org (Hagrid)

Code Block
titleNot revealing your email address
gpg --keyserver keys.openpgp.org --send-key [yourKeyID | Fingerprint]


Code Block
titlePublishing your email address with your key
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org



Code Block
titlekeyserver.ubuntu.com (HockeyPuck)
gpg --keyserver keyserver.ubuntu.com

Upload the signature via:

...

 --send-key [

...

yourKeyID | Fingerprint]

...

5. Ask Other Committers to Sign Your Key

Email the other committers, notifying them that you've signed their key and uploaded the signature, and they should run:


code
 Code Block
titlepgp.mit.edu (SKS)
gpg --refresh-keys

...then ask them to sign your key as indicated above.
After they have had a chance to sign your key and upload the signature, you should also do a --refresh-keys so your local web of trust is up to date.
6. Optional: Sign Your Own Key
keyserver pgp.mit.edu --send-key [yourKeyID | Fingerprint]

This will upload your public key to a well-known keyserver, which will then trigger other connected keyservers to get a copy. 
3. Publish Your Key Fingerprint
Add your fingerprint to the Fedora Committers pageIf you have another key you use for normal communication, you can improve the web of trust by signing your other key with with your code signing key, and vice-versa.