The information on this page, while public, will primarily be of interest to future Debian developers.
Debian makes extensive use of OpenPGP because Debian members are located all over the world
(see the developer locations) and rarely
meet each other in person. This means trust cannot be built up by
personal contact and other means are necessary. All Debian developers
are identified by their OpenPGP
key. These keys make it possible to authenticate messages and
other data by signing it. For more information on OpenPGP keys
see the README file in the debian-keyring package.
Each Applicant must provide an OpenPGP version 4 public key with encryption capabilities. The preferred way to do this is to export it to one of the public key servers, such as subkeys.pgp.net. Public keys can be exported using:
gpg --send-key --keyserver <server address> <yourkeyid>
If your key has no encryption capability, you can simply add an encryption subkey.
Note: There are known problems with GPG <= 1.0.1 and ElGamal keys.
Since anyone can upload a public key to the servers it needs to be verified that the key belongs to the Applicant.
To accomplish this the public key itself must be signed by another Debian member. Therefore the Applicant must meet this Debian member in person and must identify himself (by providing a passport, a driver's license or some other ID).
There are several ways to find a Debian member for a key exchange. You should try them in the order listed below:
debian-devel mailing list, so check there first.You can look for developers in specific areas through the key signing coordination page:
Once you find someone to sign your key, you should follow the steps in the Keysigning Mini-HOWTO.
It is recommended that you also sign the Debian Developer's key. This is not necessary for your ID check but it strengthens the web of trust.
If all of the steps above fail, please contact the Front Desk and ask for help. They may offer you an alternate way of identification.