Re: Separate GPG subkey for package signing

To: Christian Kastner <ckk@debian.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: Separate GPG subkey for package signing
From: Dániel Fancsali <fancsali@gmail.com>
Date: Mon, 27 Jun 2022 10:40:17 +0000
Message-id: <[🔎] CAD6oR3E9MyRP3WjLYD2FPgdWqmwHoQr=1VSYxTU1j+T8sLoovg@mail.gmail.com>
In-reply-to: <[🔎] 0bb01b69-76bb-a789-a45a-21a699d24dad@debian.org>
References: <[🔎] CAD6oR3HUL=GyFA8bBZG-Kt1Usxrs9vVdCjpCMf-DgwMS1MKRQg@mail.gmail.com> <[🔎] 0bb01b69-76bb-a789-a45a-21a699d24dad@debian.org>

Good morning,

Thanks for you replies, gents.

Makes sense.

One last thing, I am not sure of: do I upload my master key's public part or the signing key's one to my mentors account?

Regards,

Daniel

On Fri, 24 Jun 2022 at 20:42, Christian Kastner <ckk@debian.org> wrote:

On 2022-06-24 18:40, Dániel Fancsali wrote:
> I thought, I'll create a separate subkey for signing the package (and
> keep my master key off-line, and the others keys separate from this
> debian-signing-subkey). Would that be considered good practice? Or is
> there something I can't see here?

This is done quite commonly, actually. [1] and [2] have more info.

Best,
Christian

[1] https://wiki.debian.org/GnuPG/AirgappedMasterKey

[2] https://wiki.debian.org/Subkeys

Reply to:

Follow-Ups:
- Re: Separate GPG subkey for package signing
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: Separate GPG subkey for package signing
  - From: Bo YU <tsu.yubo@gmail.com>

References:
- Separate GPG subkey for package signing
  - From: Dániel Fancsali <fancsali@gmail.com>
- Re: Separate GPG subkey for package signing
  - From: Christian Kastner <ckk@debian.org>

Prev by Date: Bug#1013908: RFS: dvbcut/0.7.4-1 [RC] -- Qt application for cutting parts out of DVB streams
Next by Date: Re: Separate GPG subkey for package signing
Previous by thread: Re: Separate GPG subkey for package signing
Next by thread: Re: Separate GPG subkey for package signing
Index(es):
- Date
- Thread