Keys

From JookWiki

This page lists my long-term security keys used for signing things.

Quick note: This page is protected from random edits to avoid key forgery. If you have an edit suggestion put it in the discussion page.

Signing keys

This is my main SSH key used for signing Git commits and patches, created some time late in 2021. It uses multi-factor authentication requiring:

  • A SSH secret key
  • A hardware security key
  • A password
  • A physical button press

Here's the line to put in your allowed_signers file:

jookia sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAID7OzA3dl0YNrkRPXGldZTzz3rtFcyBvXz661ZmMgIS3AAAABHNzaDo= jookia@titan

The key fingerprint is SHA256:/gEvgms/9HpbgpcH+K7O4GYXmqkP7siJx9zHeEWRZTg

Old keys

Briefly used SSH key from 2024-03-26 to 2024-05-20 for sending patches to mailing lists:

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKRrgN7oaNvM1cZueeA1Sx8peIKuf5wR4JVOViFjfP82AAAABHNzaDo= jookia@titan

Various GPG keys, not used much because safely storing and rotating them and their subkeys was a nightmare. I have revoked them as a cautionary measure:

pub   rsa3072/BFE88BA2235C8BDF 2019-06-01 [SC] [revoked: 2024-05-20]
     1439014EF601F45269400315BFE88BA2235C8BDF

pub   rsa2048/D9A4132170E117D0 2016-01-05 [SC] [revoked: 2020-04-25]
     0BAFA07D1710E8781EAD1327D9A4132170E117D0

pub   rsa4096/42B85A46F3BC5DDB 2015-10-01 [SC] [revoked: 2020-04-25]
     CC7FD6B37208C3469499C6AE42B85A46F3BC5DDB

pub   rsa4096/AE03A518960428B1 2013-06-19 [SC] [revoked: 2020-04-25]
     53F83E6BCDDB35A78EDA74F3AE03A518960428B1

Novena keys

Both of these keys are inactive and unused, with the first being deliberately not revoked so my Novena repo doesn't expire.

pub   rsa3072/DDC2AFA22D5777A9 2020-04-25 [SC]
     72365C0E95BD25A7EE20C812DDC2AFA22D5777A9

pub   rsa3072/5F3798F0969CC8CD 2019-09-29 [SC] [revoked: 2020-04-25]
     135D336E568D6BB380601A795F3798F0969CC8CD

Other's keys

Just as a reference, here's a list of keys I use to verify other people's software. I've included notes on how I verified these keys.

Linux

pub   rsa2048/79BE3E4300411886 2011-09-20 [SC]
      ABAF11C65A2970B130ABE3C479BE3E4300411886
uid                 [marginal] Linus Torvalds <torvalds@kernel.org>

my verification: 
  pgp wkd kernel.org
  https://kernel.org/category/signatures.html
  git verify-tag v6.8 # linux repo, ref 90d1f30371ae3337beb01666b226320728d35c70
pub   rsa4096/38DBBDC86092693E 2011-09-23 [SC]
      647F28654894E3BD457199BE38DBBDC86092693E
uid                 [marginal] Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uid                 [marginal] Greg Kroah-Hartman <gregkh@kernel.org>
uid                 [marginal] Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>

my verification:
  pgp wkd kernel.org
  https://kernel.org/category/signatures.html
  git verify-tag v6.6.1 # linux-stable repo, ref f2bdeab9b05b9aa6739fafee7f764197b9048d82
pub   rsa4096/DEA66FF797772CDC 2012-02-09 [SC]
      E27E5D8A3403A2EF66873BBCDEA66FF797772CDC
uid                 [marginal] Sasha Levin <sashal@kernel.org>
uid                 [marginal] Sasha Levin <alexander.levin@microsoft.com>
uid                 [marginal] Sasha Levin <alexander.levin@verizon.com>
uid                 [marginal] Sasha Levin <sasha.levin@oracle.com>

my verification:
  pgp wkd kernel.org
  https://kernel.org/category/signatures.html
  git verify-tag v4.1.40 # linux-stable repo, ref f11e4c1ee20a76942709bc604f64ae3566a67218
pub   rsa4096/E7BFC8EC95861109 2009-07-12 [SC]
      AC2B29BD34A6AFDDB3F68F35E7BFC8EC95861109
uid                 [marginal] Ben Hutchings <bwh@kernel.org>
uid                 [marginal] Ben Hutchings (DOB: 1977-01-11)
uid                 [marginal] Ben Hutchings <benh@debian.org>
uid                 [marginal] Ben Hutchings <ben@decadent.org.uk>

my verification:
  pgp wkd kernel.org
  https://kernel.org/category/signatures.html
  https://contributors.debian.org/contributor/benh/
  git verify-tag v3.16.85 # linux-stable repo, ref db6650f7eabceced99d63122c7f372c9783fd097
pub   rsa4096/C3F436CA30F5D8EB 2011-10-21 [SC]
      3F2568AAC26998F9E813A1C5C3F436CA30F5D8EB
uid                 [marginal] Mark Brown <broonie@kernel.org>

my verification:
  pgp wkd kernel.org
  https://contributors.debian.org/contributor/broonie/
  https://lore.kernel.org/linux-kernel/9055efa5-8da6-47b2-b2db-d1f8e02d2267@sirena.org.uk/ (received by email)
  git show a00cf1988a1359452cb4fe64d75e7a1da12dba4a --show-signature # linux repo

systemd

pub   rsa4096/A81CEA22BC8C7E2E 2015-01-29 [SC]
      A9EA9081724FFAE0484C35A1A81CEA22BC8C7E2E
uid                 [marginal] Luca Boccassi <luca.boccassi@gmail.com>
uid                 [marginal] Luca Boccassi <luca.boccassi@microsoft.com>
uid                 [marginal] Luca Boccassi <bluca@debian.org>

my verification:
  git verify-tag v251 # systemd repo, ref e93cff8c9c8ceaee8d19cf2599b84a7683ce4ecd
  https://nm.debian.org/person/bluca/
  https://github.com/bluca.gpg
  https://gitlab.archlinux.org/archlinux/packaging/packages/systemd/-/blob/dc6c099e0785753c1c88b4adcbcbfc209a8d12e3/keys/pgp/A9EA9081724FFAE0484C35A1A81CEA22BC8C7E2E.asc
pub   rsa4096/C54CA336CFEB557E 2012-09-05 [SC]
      5C251B5FC54EB2F80F407AAAC54CA336CFEB557E
uid                 [marginal] Zbigniew Jędrzejewski-Szmek  <zbyszek@in.waw.pl>

my verification:
  https://fedoraproject.org/wiki/User:Zbyszek
  git verify-tag v250 # system repo, ref 9c8279cdd5d0bc256b8cc0ced2312e27e069a214
  https://gitlab.archlinux.org/archlinux/packaging/packages/systemd/-/blob/dc6c099e0785753c1c88b4adcbcbfc209a8d12e3/keys/pgp/5C251B5FC54EB2F80F407AAAC54CA336CFEB557E.asc
pub   dsa1024/327F26951A015CC4 2000-03-06 [SC]
     63CDA1E5D3FC22B998D20DD6327F26951A015CC4
uid                 [marginal] Lennart Poettering <lennart@poettering.net>
uid                 [marginal] Lennart Poettering (Red Hat) <lpoetter@redhat.com>
uid                 [marginal] Lennart Poettering <lennart@poettering.de>
uid                 [marginal] Lennart Poettering (Sourceforge.net) <poettering@users.sourceforge.net>

my verification:
  https://gitlab.archlinux.org/archlinux/packaging/packages/systemd/-/blob/dc6c099e0785753c1c88b4adcbcbfc209a8d12e3/keys/pgp/63CDA1E5D3FC22B998D20DD6327F26951A015CC4.asc
  git verify-tag v248 # systemd repo, ref e13126bd95857eb9344e030edbb4c603aab63884

u-boot

pub   rsa3072/147C39FF9634B72C 2020-02-12 [SC] [expires: 2025-02-01]
      1A3C7F70E08FAB1707809BBF147C39FF9634B72C
uid                 [marginal] Thomas Rini <trini@konsulko.com>

my verification:
  git verify-tag v2024.04.0 # u-boot repo, ref f8e7ca12a03d257f8ddae17b24c250daf7d3cec8
  https://lists.denx.de/pipermail/u-boot/2020-February/400012.html
  https://github.com/usbarmory/usbarmory-debian-base_image/blob/67babf665ccdc230e5599e08253e333f685e553f/README.md
  https://github.com/msys2/MSYS2-packages/blob/53f1997cb328fdcfaf6c6915ee493f94257a64f7/u-boot-tools/PKGBUILD

Barebox

pub   rsa4096/E2DCDD9132669BD6 2010-06-15 [SC] [expires: 2024-06-21]
      0D2511F322BFAB1C1580266BE2DCDD9132669BD6
uid                 [marginal] Uwe Kleine-König <uwe@kleine-koenig.org>
uid                 [marginal] Uwe Kleine-König <uwe@kleine-könig.de>
uid                 [marginal] Uwe Kleine-König <ukleinek@strlen.de>
uid                 [marginal] Uwe Kleine-König <ukleinek@kernel.org>
uid                 [marginal] Uwe Kleine-König <ukleinek@lug-freiburg.de>
uid                 [marginal] Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
uid                 [marginal] Uwe Kleine-König <ukleinek@debian.org>

my verification:
 pgp wkd kleine-koenig.org
 https://lists.debian.org/debian-newmaint/2013/06/msg00010.html
 https://lore.barebox.org/barebox/20230523075524.mzsvdr6htpwolwgm@pengutronix.de/ (received by email)
pub   rsa4096/F16598E34CC7E7B3 2010-07-01 [SC]
      923730265143553616C34D10F16598E34CC7E7B3
uid                 [marginal] Sascha Hauer <s.hauer@pengutronix.de>

my verification:
  pgp wkd pengutronix.de
  git verify-tag v2024.04.0 # barebox repo, ref 9ca75a37c4a6d2b23af51dfc89de9da75910c558
  pgp signature from Uwe Kleine-König: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xe2dcdd9132669bd6

GitHub

pub   rsa4096/B5690EEEBB952194 2024-01-16 [SC]
      968479A1AFF927E37D1A566BB5690EEEBB952194
uid                 [marginal] GitHub <noreply@github.com>

my verification:
  https://github.com/web-flow.gpg
  git log 983028cdc433699a592bf6a0f5c00a0ebc787a61 --show-signature # systemd repo
pub   rsa2048/4AEE18F83AFDEB23 2017-08-16 [SC] [expired: 2024-01-16]
      5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
uid                 [ expired] GitHub (web-flow commit signing) <noreply@github.com>

my verification:
  https://github.com/web-flow.gpg

F-Droid

pub   rsa4096/41E7044E1DBA2E89 2014-04-25 [C]
      37D2C98789D8311948394E3E41E7044E1DBA2E89
uid                 [marginal] F-Droid <admin@f-droid.org>

my verification:
  https://f-droid.org/docs/Verifying_Downloaded_APK/
  https://uniq.h4x.at/blog/2101/
  https://dwaves.de/2019/10/13/once-more-verify-files-with-pgp-f-droid-org-verify-apk-download-gpg-signature-asc-sig-md5sum-and-sha512sum-linphone-app/
  https://github.com/open-keychain/open-keychain/issues/2907

Yocto

pub   rsa4096/87EB3D32FB631AD9 2014-10-30 [SC] [expires: 2026-06-15]
      2AFB13F28FBBB0D1B9DAF63087EB3D32FB631AD9
uid                 [marginal] Yocto Build and Release  <releases@yoctoproject.org>

my verification:
 git verify-tag yocto-5.0 # openembedded-core repo, ref 46c8693c5355e94c06559e71476c1f74a9421744
 https://wiki.yoctoproject.org/wiki/GPG_sign_notes_%26_git_tags