Project:Infrastructure/Authority Keys

OpenPGP Authority Keys provide a secure and convenient method of validating the OpenPGP keys used by Gentoo developers. The service automatically signs the @gentoo.org identifiers of developer keys, providing full compatibility with the Web of Trust model. Please note that only the fact that a particular key is listed by the owner of @gentoo.org e-mail address is confirmed. In particular, real names are not verified.

Recommended usage
First, fetch the relevant Authority Keys:

Verify the authenticity of the L1 key. Preferably do this via OpenPGP WoT. However, if your WoT does not cover the key, use fingerprints from www.gentoo.org signatures page.

Once you verify the L1 key, issue a local trust signature with depth=2, domain=gentoo.org:

From now on, all @gentoo.org UIDs signed with L2 keys will be considered fully valid.

If you haven't refreshed keys recently, refresh them now to get new signatures:

Other usage options
You can choose between using:
 * a trust signature on L1 key, and
 * regular signatures on L2 keys.

A trust signature (as suggested above) issued on L1 key works recursively. That is, if you issue a trust signature with depth=2, domain=gentoo.org against the L1 key, it will respect depth=1, domain=gentoo.org signatures issued by L1 key on L2 keys, and appropriately it will also respect regular signatures made on gentoo.org UIDs by those L2 keys. Practically, this means that after verifying L1 key once, the whole system will continue working even if we rotate L2 keys.

A regular signature combined with appropriate trust value (or trust signature with depth=1) covers only direct signature made by the particular key. This means that for the system to work you need to sign L2 keys directly. If we need to rotate L2 keys, the validity of developer keys will be revoked, and you will have to verify the new L2 keys and sign them.

Furthermore, you can choose between using exportable and local (non-exportable) signatures.

Exportable signatures are uploaded along with the key to the keyservers (provided that you use --send-keys ). They take part in creating WoT, and they mean that anyone who trusts you to verify keys may use this signature to verify the authenticity of the Authority Keys. Therefore, uploading exportable signatures helps others verifying Authority Keys without having to resort to directly trusting TLS certificates.

Local signatures are only stored on your computer. Therefore, they affect the validity in your OpenPGP client but nowhere else. Use this if you don't feel like certifying the authenticity of our keys to others.

The following table summarizes commands used to establish different kinds of signatures: