The Linux Kernel's PGP Web of Trust
a year ago
- #Security
- #PGP
- #Linux Kernel
- The Linux kernel development process uses PGP, with subsystem maintainers using signed tags in pull requests to Linus Torvalds.
- Konstantin Ryabitsev maintains a git repository of relevant PGP keys, currently tracking 602 valid keys with trust paths from Linus Torvalds' key.
- GnuPG 2.4.x rejects third-party key signatures using SHA-1, potentially affecting the kernel's web of trust.
- If SHA-1 signatures were dropped, 485 public keys would lose trust paths, including keys of prominent developers like Andrew Morton and Greg Kroah-Hartman.
- A keysigning session at Embedded Recipes 2025 aims to improve the situation, with participation open by sending public keys to a specified email before the deadline.