| GPG keys | ||
|---|---|---|
 | Chapter 2. Setting up for packaging |  |
| GPG keys | ||
|---|---|---|
| | Chapter 2. Setting up for packaging | |
The work of a packager potentially ends up on thousands of machines all over the world, some of it running as root. As a packager, you don't want to catch the blame when somebody else tampers with your packages.
To reduce the chances of that happening, both repositories and packages are signed, using GPG keys. Using GPG is fairly standard practice, and well described in the GnuPG documentation. If the concept is entirely new to you, you may want to start at The GNU privacy Handbook. The rest of this document assumes that you've created a keypair, put it on a keyserver, and joined a few keysigning parties so your key is embedded in the Web of Trust.
Want to skip the docs?
gpg --gen-key
You shouldn't.
For packaging in particular, it is useful to maintain multiple subkeys, so you can use a subkey for signing packages. Please follow the steps in these Debian docs on the why and how of using subkeys for package signing.
![[Note]](http://jurjenbokma.com/ApprenticesNotes/images/admon/note.png) | Note |
|---|---|
After you delete the master private key from your keyring but not from the USB stick in your bombproof safe, it is easy to change the 100-character password on the remaining private key to a somewhat less secure one that can be typed more quickly. |
You may also want to read about the following topics...
| |  | |
| Installing packages necessary for packaging |  | PBuilder setup |