New Members Corner ] [ Applicants' checklist ] [ Step 1 ] [ Step 2 ] [ Step 3 ] [ Step 4 ] [ Step 5 ] [ Step 6 ] [ Step 7 ]

The information on this page, while public, will primarily be of interest to future Debian developers.

Step 2: Identification

Why OpenPGP?

Debian makes extensive use of OpenPGP because Debian members are located all over the world (see the developer locations) and rarely meet each other in person. This means trust cannot be built up by personal contact and other means are necessary. All Debian developers are identified by their OpenPGP key. These keys make it possible to authenticate messages and other data by signing it. For more information on OpenPGP keys see the README file in the debian-keyring package.

Providing a key

Each Applicant must provide an OpenPGP version 4 public key with encryption capabilities. The preferred way to do this is to export it to one of the public key servers, such as keys.openpgp.org. Public keys can be exported using:

gpg --send-key --keyserver <server address> <yourkeyid>

If your key has no encryption capability, you can simply add an encryption subkey.

See keyring.debian.org for more information on key formats and properties.

Verification

Since anyone can upload a public key to the servers it needs to be verified that the key belongs to the Applicant.

To accomplish this the public key itself must be signed by two other Debian members. Therefore the Applicant must meet this Debian member in person and must identify himself (by providing a passport, a driver's license or some other ID).

How to get your OpenPGP key signed

There are several ways to find a Debian member for a key exchange. You should try them in the order listed below:

  1. Announcements of key signing parties are usually posted on the debian-devel mailing list, so check there first.
  2. You can look for developers in specific areas through the key signing coordination page:

    • First you should check the list of key signing offers for a Debian member near you.
    • If you cannot find a Debian member among the key signing offers, you can register your key signing request.
  3. If no one has reacted to your request for several weeks, send an e-mail to debian-private@lists.debian.org telling them exactly where you live (plus naming some big cities close to you), then they can check in the developer database for developers who are near you.

Once you find someone to sign your key, you should follow the steps in the Keysigning Mini-HOWTO.

It is recommended that you also sign the Debian Developer's key. This is not necessary for your ID check but it strengthens the web of trust.

When you can't get your key signed

If all of the steps above fail, please contact the Front Desk and ask for help. They may offer you an alternate way of identification.


New Members Corner ] [ Applicants' checklist ] [ Step 1 ] [ Step 2 ] [ Step 3 ] [ Step 4 ] [ Step 5 ] [ Step 6 ] [ Step 7 ]