{% extends "base.html" %} {% load static from staticfiles %} {% load pgp %} {% block title %}{{ BRANDING_DISTRONAME }} - Master Signing Keys{% endblock %} {% block content %}

Master Signing Keys

This page lists the {{ BRANDING_DISTORNAME }} Master Keys. This is a distributed set of keys that are seen as "official" signing keys of the distribution. Each key is held by a different developer, and a revocation certificate for the key is held by a different developer. Thus, no one developer has absolute hold on any sort of absolute, root trust.

The {{ keys|length }} key{{ keys|pluralize }} listed below should be regarded as the current set of master keys. They are available on public keyservers and should be signed by the owner of the key.

{% for key in keys %} {% with key.owner.userprofile as owner_profile %} {% endwith %} {% with key.revoker.userprofile as revoker_profile %} {% endwith %} {% endfor %}
Master Key Full Fingerprint Owner Owner's Signing Key Revoker Revoker's Signing Key Developer/TU Keys Signed
{% pgp_key_link key.pgp_key %} {{ key.pgp_key|pgp_fingerprint }}{{ key.owner.get_full_name }} {% pgp_key_link owner_profile.pgp_key %}{{ key.revoker.get_full_name }} {% pgp_key_link revoker_profile.pgp_key %}{{ key.signature_count }}

Master Key Signatures

The following table shows all active developers and trusted users along with the status of their personal signing key. A 'Yes' indicates that the personal key of the developer is signed by the given master key. A 'No' indicates it has not been signed; however, this does not necessarily mean the key should not be trusted.

All official {{ BRANDING_DISTRONAME }} developers and trusted users should have their key signed by at least three master keys if they are responsible for packaging software in the repositories. This is in accordance with the PGP web of trust concept. If a user is willing to marginally trust all of the master keys, three signatures from different master keys will consider a given developer's key as valid. For more information on trust, please consult the GNU Privacy Handbook and Using trust to validate keys.

{% for key in keys %} {% endfor %} {% for user in active_users %} {% spaceless %}{% for key in keys %} {% signature_exists signatures key.pgp_key user.userprofile.pgp_key as signed %} {% endfor %}{% endspaceless %} {% endfor %}
Developer PGP Key{{ key.owner.get_full_name }}
{% pgp_key_link key.pgp_key %}
{{ user.get_full_name }} {% pgp_key_link user.userprofile.pgp_key %}{{ signed|yesno|capfirst }}

Visualization of PGP Master and Developer Keys

Developer Cross-Signatures

This table lists signatures directly between developer keys.

{% for sig in cross_signatures %} {% endfor %}
Signer Signee Created Expires
{% user_pgp_key_link sig.signer %} {% user_pgp_key_link sig.signee %} {{ sig.created }} {{ sig.expires|default:"" }}
{% load cdn %}{% jquery %}{% jquery_tablesorter %} {% endblock %}