Key Management for Launchpad (GPG + SSH)

Launchpad uses two types of keys:

• OpenPGP (GPG) keys → required for signing packages uploaded to a PPA
• SSH keys → required for secure access, such as pushing to Launchpad Git/Bazaar

This document explains how to check, create, back up, restore, and rotate both.

1. How to Check and Identify Keys on Your System

1.1. Check existing GPG (OpenPGP) keys

gpg --list-secret-keys --keyid-format LONG

You will see something like:

sec   rsa4096/<Long-Key-ID> YYYY-MM-DD [SC]
      <Fingerprint>
uid   Your Name <[email protected]>
ssb   rsa4096/<Long-Key-ID> YYYY-MM-DD [E]

• Long Key ID → used when signing packages (-k<KEYID>)
• Fingerprint → the long hex string; used to identify your key in Launchpad
• uid → must match an email address on your Launchpad account

Both the Key ID and Fingerprint are public and safe to share.
The private key itself stays inside ~/.gnupg/.

1.2. Check existing SSH keys

ls ~/.ssh

Common public/private key pairs:

• id_ed25519 / id_ed25519.pub
• id_rsa / id_rsa.pub

Show the public key:

cat ~/.ssh/id_ed25519.pub

The .pub file is safe to upload to Launchpad.

2. How to Create the Keys if You Don’t Have Them

2.1. Create a new GPG keypair

gpg --full-generate-key

Choose:

• RSA and RSA
• 4096 bits
• Does not expire, or set your own expiration
• Use the same name + email you use on Launchpad
• Create a secure passphrase

List it afterwards:

gpg --list-secret-keys --keyid-format LONG

Export the public key to upload to Launchpad:

gpg --armor --export <KEYID> > my-public-key.asc

2.2. Create a new SSH keypair

ssh-keygen -t ed25519 -C "[email protected]"

This generates:

• ~/.ssh/id_ed25519 (private)
• ~/.ssh/id_ed25519.pub (public)

Upload the .pub file to Launchpad.

3. How Launchpad Uses These Keys

How Launchpad validates a PPA upload

When you run:

dput ppa:USERNAME/ppa package_source.changes

Launchpad checks:

1. The upload is GPG-signed
2. The GPG key fingerprint matches a key registered in your Launchpad account
3. The email in debian/changelog matches an email attached to your Launchpad account
4. The key’s uid email has been verified by Launchpad

If any of these fail, the upload is rejected.

4. Why the Keys Must Match

Launchpad uses your public keys to confirm:

• The upload really came from you
• The package is authentic
• No one else can upload packages as you

If:

• Your local GPG key ≠ Launchpad GPG key, uploads fail.
• Your local email ≠ Launchpad email, uploads fail.
• Your SSH key ≠ Launchpad SSH key, pushes are denied.

So your local keys must match what Launchpad has registered.

5. How to Back Up Your Keys Safely

5.1. Back up GPG private keys

gpg --export-secret-keys --armor <KEYID> > gpg-private-backup.asc

Also export subkeys:

gpg --export-secret-subkeys --armor <KEYID> > gpg-subkeys-backup.asc

Backup your trust database (optional):

cp ~/.gnupg/trustdb.gpg ./trustdb-backup.gpg

Store these backups in:

• an encrypted USB stick
• a password manager that supports files
• a secure offline location

Never share the exported files.

5.2. Back up SSH keys

Back up:

• ~/.ssh/id_ed25519
• ~/.ssh/id_ed25519.pub
• (optional) your known_hosts file

6. How to Restore Your Keys

6.1. Restore GPG keys

gpg --import gpg-private-backup.asc
gpg --import gpg-subkeys-backup.asc

Ensure trust:

gpg --edit-key <KEYID>
gpg> trust
(choose ultimate)
gpg> quit

Verify:

gpg --list-secret-keys --keyid-format LONG

If fingerprints match Launchpad → you can upload again.

6.2. Restore SSH keys

Restore into:

~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub

Fix permissions:

chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

7. How to Rotate Keys Safely

You may want to rotate keys because:

• A key expired
• A key was compromised
• You want to upgrade to stronger crypto

7.1. Rotate a GPG key

1. Generate a new keypair
2. Add the public key to Launchpad
3. Verify it (Launchpad emails you)
4. Update your debian/changelog email address if needed
5. Start signing builds with the new key:

debuild -S -k<NEW_KEYID>

Optional but recommended:

• Revoke the old key:

gpg --gen-revoke <OLD_KEYID>

• Upload the revocation certificate to Launchpad

7.2. Rotate an SSH key

• Generate a new SSH key:

ssh-keygen -t ed25519 -C "[email protected]"

• Add the new .pub file to Launchpad
• Remove the old SSH key from Launchpad

Final Summary

• GPG keys sign packages → required for PPAs
• SSH keys authenticate code pushes → optional for PPAs
• Launchpad validates both keys by fingerprint
• Local keys must match what Launchpad has
• Always back up your keys
• You can restore them anytime
• You can rotate them safely when needed