= Handling Unsigned GPG Keys =

== Background ==

Ubuntu Maintainers (including MOTU (Masters of the [[AddingRepositoriesHowto|Universe]])) are required to have a GPG key in
order to sign and upload their packages. Before being allowed to
upload, your GPG key must be verified by acquiring a signature from at
least one other GPG user who have met in real life and have confirmed
your identity. This person must be part of large group of people
called the strongly connected set through which other Ubuntu
developers are also all connected.  This protects Ubuntu and its users
from bad guys who might pose as an Ubuntu developer to upload a
trojaned or otherwise nasty package.

== The Problem ==

Some people interested in helping with Ubuntu have keys that have not
been signed or keys that are not signed by another key in the strongly
connected set. If it is hard to trace a series of signatures (i.e., connections)
from you back to someone that the Ubuntu community already trusts,
your upload access will be delayed.

== Solution #1 ==

The absolutely ideal solution is to have your key signed in person by someone
else in the global strongly connected set.

[[http://biglumber.com/]] has a searchable database of GPG users by
location.  If you can find someone in your area, confirm with a
current Ubuntu member that their signature is acceptable for access to
Ubuntu resources, and then you can politely ask that person to exchange
keys.

Another list:
 * http://nm.debian.org/gpg_offer.php

When you meet to do a keysigning you will need to bring the output of
'gpg --fingerprint youremail@domain.com' printed on paper, as well as
a government issue photo ID (passport or drivers license).

To get an idea of what goes on at a keysigning, read these guidelines (which
describe a full-blown party which is probably more complex than what
you will do): http://mako.yukidoke.org/keys/keysign.txt

== Solution #2 ==

In situations where you absolutely cannot get a key signed by someone
else in the strongly connected set, you will need to demonstrate this
to members of the Ubuntu Community Council and Technical Board. If you
can convince them that it is impossible to get a signed key, you can
have your identity verified differently.

To do this, you should print a copy of the Ubuntu Code of Conduct,
followed by the output of 'gpg --fingerprint youremail@domain.com'.

Take this printout to your friendly local notary, and ask them to
validate your signature on this document.  This will require at least
one form of government issued ID (passport or drivers license).  You
will then need to snail mail this document - the address will be
made available to approved maintainers who are confirmed to require this method by members of the Community Council or
Technical Board.
----