UnsignedGpgKey
|
Size: 2819
Comment: add cats
|
Size: 2867
Comment: typos killed; rm from Cleanup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| Ubuntu Maintainers (including MOTU) are required to have a GPG key in | Ubuntu Maintainers (including MOTU (Masters of the [:AddingRepositoriesHowto:Universe])) are required to have a GPG key in |
| Line 8: | Line 8: |
| least one other GPG users who have met in real life and have confirmed | least one other GPG user who have met in real life and have confirmed |
| Line 12: | Line 12: |
| from bad guys who might pose as an Ubuntu developer to uploading a trojaned or otherwise nasty packages. |
from bad guys who might pose as an Ubuntu developer to upload a trojaned or otherwise nasty package. |
| Line 19: | Line 19: |
| connected set. If to trace a series of signatures (i.e., connections) | connected set. If it is hard to trace a series of signatures (i.e., connections) |
| Line 25: | Line 25: |
| The absolutely ideal is to have your key signed in person by someone | The absolutely ideal solution is to have your key signed in person by someone |
| Line 31: | Line 31: |
| Ubuntu resources, you can politely ask that person to exchange | Ubuntu resources, and then you can politely ask that person to exchange |
| Line 48: | Line 48: |
| else in the strongly connected set. You will need to demonstrate this | else in the strongly connected set, you will need to demonstrate this |
| Line 50: | Line 50: |
| can convince them that it is impossible to get a singed key, you can have your identity verified out of band. |
can convince them that it is impossible to get a signed key, you can have your identity verified differently. |
| Line 59: | Line 59: |
| will then need to snail mailing this document. The address will be made available to approved maintainers who are confirmed to require the usage of this method by members of the Community Council or |
will then need to snail mail this document - the address will be made available to approved maintainers who are confirmed to require this method by members of the Community Council or |
| Line 63: | Line 62: |
CategoryDocumentation CategoryCleanup |
---- CategoryDocumentation |
Handling Unsigned GPG Keys
Background
Ubuntu Maintainers (including MOTU (Masters of the [:AddingRepositoriesHowto:Universe])) are required to have a GPG key in order to sign and upload their packages. Before being allowed to upload, your GPG key must be verified by acquiring a signature from at least one other GPG user who have met in real life and have confirmed your identity. This person must be part of large group of people called the strongly connected set through which other Ubuntu developers are also all connected. This protects Ubuntu and its users from bad guys who might pose as an Ubuntu developer to upload a trojaned or otherwise nasty package.
The Problem
Some people interested in helping with Ubuntu have keys that have not been signed or keys that are not signed by another key in the strongly connected set. If it is hard to trace a series of signatures (i.e., connections) from you back to someone that the Ubuntu community already trusts, your upload access will be delayed.
Solution #1
The absolutely ideal solution is to have your key signed in person by someone else in the global strongly connected set.
[http://biglumber.com/] has a searchable database of GPG users by location. If you can find someone in your area, confirm with a current Ubuntu member that their signature is acceptable for access to Ubuntu resources, and then you can politely ask that person to exchange keys.
Another list:
When you meet to do a keysigning you will need to bring the output of 'gpg --fingerprint youremail@domain.com' printed on paper, as well as a government issue photo ID (passport or drivers license).
To get an idea of goes on at a keysiging, read these guidelines (which describe a full-blown party which is probably more complex than what you will do): http://mako.yukidoke.org/keys/keysign.txt
Solution #2
In situations where you absolutely cannot get a key signed by someone else in the strongly connected set, you will need to demonstrate this to members of the Ubuntu Community Council and Technical Board. If you can convince them that it is impossible to get a signed key, you can have your identity verified differently.
To do this, you should print a copy of the Ubuntu Code of Conduct, followed by the output of 'gpg --fingerprint youremail@domain.com'.
Take this printout to your friendly local notary, and ask them to validate your signature on this document. This will require at least one form of government issued ID (passport or drivers license). You will then need to snail mail this document - the address will be made available to approved maintainers who are confirmed to require this method by members of the Community Council or Technical Board.
UnsignedGpgKey (last edited 2008-08-06 16:32:37 by localhost)