Project:Infrastructure/OpenPGP keys

Gentoo is using OpenPGP to improve the security of services provided to our users. This document lists the policies regarding maintaining and distributing those keys to users.

Verifying service keys
All keys currently used by Gentoo Infrastructure are listed on the Gentoo website, on Release media signatures subpage. The current recommended verification method is via comparing the key's fingerprint against the one published on website.

Key types
The used keys can be split into two types, affecting the policies used:
 * Signing keys are the keys used to sign data (files, commits). The actual signatures are made using a dedicated subkey, and only this subkey needs to be accessible to the automated services. Therefore, the signing subkey is subject to non-secure storage policy (as outlined below), while the relevant primary key is subject to secure storage policy.
 * Certification keys are the keys used to sign other keys. To improve security, the keys are split into two layers, and only L2 keys are used in automated services, while L1 keys are only used manually to sign L2 keys. Appropriately, L2 keys are subject to non-secure storage policy, while L1 keys are subject to secure storage policy.