Kernel Maintainer PGP guide¶

submited by

Style Pass

2023-02-07 14:30:16

This document is aimed at Linux kernel developers, and especially at subsystem maintainers. It contains a subset of information discussed in the more general “Protecting Code Integrity” guide published by the Linux Foundation. Please read that document for more in-depth discussion on some of the topics mentioned in this guide.

PGP helps ensure the integrity of the code that is produced by the Linux kernel development community and, to a lesser degree, establish trusted communication channels between developers via PGP-signed email exchange.

Both git repositories and tarballs carry PGP signatures of the kernel developers who create official kernel releases. These signatures offer a cryptographic guarantee that downloadable versions made available via kernel.org or any other mirrors are identical to what these developers have on their workstations. To this end:

Ever since the 2011 compromise of core kernel.org systems, the main operating principle of the Kernel Archives project has been to assume that any part of the infrastructure can be compromised at any time. For this reason, the administrators have taken deliberate steps to emphasize that trust must always be placed with developers and never with the code hosting infrastructure, regardless of how good the security practices for the latter may be.