Handling Unsigned GPG Keys


Ubuntu Maintainers (including MOTU (Masters of the Universe)) are required to have a GPG key in order to sign and upload their packages. Before being allowed to upload, your GPG key must be verified by acquiring a signature from at least one other GPG user who have met in real life and have confirmed your identity. This person must be part of large group of people called the strongly connected set through which other Ubuntu developers are also all connected. This protects Ubuntu and its users from bad guys who might pose as an Ubuntu developer to upload a trojaned or otherwise nasty package.

The Problem

Some people interested in helping with Ubuntu have keys that have not been signed or keys that are not signed by another key in the strongly connected set. If it is hard to trace a series of signatures (i.e., connections) from you back to someone that the Ubuntu community already trusts, your upload access will be delayed.

Solution #1

The absolutely ideal solution is to have your key signed in person by someone else in the global strongly connected set.

http://biglumber.com/ has a searchable database of GPG users by location. If you can find someone in your area, confirm with a current Ubuntu member that their signature is acceptable for access to Ubuntu resources, and then you can politely ask that person to exchange keys.

Another list:

When you meet to do a keysigning you will need to bring the output of 'gpg --fingerprint youremail@domain.com' printed on paper, as well as a government issue photo ID (passport or drivers license).

To get an idea of what goes on at a keysigning, read these guidelines (which describe a full-blown party which is probably more complex than what you will do): http://mako.yukidoke.org/keys/keysign.txt

Solution #2

In situations where you absolutely cannot get a key signed by someone else in the strongly connected set, you will need to demonstrate this to members of the Ubuntu Community Council and Technical Board. If you can convince them that it is impossible to get a signed key, you can have your identity verified differently.

To do this, you should print a copy of the Ubuntu Code of Conduct, followed by the output of 'gpg --fingerprint youremail@domain.com'.

Take this printout to your friendly local notary, and ask them to validate your signature on this document. This will require at least one form of government issued ID (passport or drivers license). You will then need to snail mail this document - the address will be made available to approved maintainers who are confirmed to require this method by members of the Community Council or Technical Board.

UnsignedGpgKey (last edited 2015-01-08 04:10:09 by octoquad)