[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Separate GPG subkey for package signing



Hi,

El 27/06/22 a las 10:40, Dániel Fancsali escribió:
> Good morning,
> 
> Thanks for you replies, gents.
> 
> Makes sense.
> 
> One last thing, I am not sure of: do I upload my master key's public part
> or the signing key's one to my mentors account?

From https://mentors.debian.net/intro-maintainers/:

" How to upload packages to mentors.debian.net

You need to use dput to upload packages. We accept your uploads through
HTTPS or FTP. All packages must be signed (using debsign) with the GnuPG
key you configured in your control panel. "

Cheers,

 -- S

> 
> Regards,
> Daniel
> 
> On Fri, 24 Jun 2022 at 20:42, Christian Kastner <ckk@debian.org> wrote:
> 
> > On 2022-06-24 18:40, Dániel Fancsali wrote:
> > > I thought, I'll create a separate subkey for signing the package (and
> > > keep my master key off-line, and the others keys separate from this
> > > debian-signing-subkey). Would that be considered good practice? Or is
> > > there something I can't see here?
> >
> > This is done quite commonly, actually. [1] and [2] have more info.
> >
> > Best,
> > Christian
> >
> > [1] https://wiki.debian.org/GnuPG/AirgappedMasterKey
> >
> > [2] https://wiki.debian.org/Subkeys
> >
> >

Attachment: signature.asc
Description: PGP signature


Reply to: