| |

Key Management for Launchpad (GPG + SSH)

ByRex Bytes

Example Values Used in This Tutorial

This tutorial uses the following fake example values throughout. Replace them with your own real details when following along.

FieldExample Value
Full NameRex Bytes
Email[email protected]
Launchpad Usernamerexbytes
GPG Key IDAABB1122CCDD3344
GPG Fingerprint1A2B3C4D5E6F7890AABB1122CCDD3344EEFF5566
SSH Key Typeed25519
PPAppa:rexbytes/example-ppa
Packagecmatrix 2.0
PPA Version2.0-1~ppa1~rexbytes

Launchpad uses two types of keys:

  • OpenPGP (GPG) keys — required for signing packages uploaded to a PPA
  • SSH keys — required for secure access, such as pushing to Launchpad Git/Bazaar

This document explains how to check, create, back up, restore, and rotate both.

1. How to Check and Identify Keys on Your System

1.1 Check existing GPG (OpenPGP) keys

gpg --list-secret-keys --keyid-format LONG




Code language: PHP (php)

You will see something like:

sec   rsa4096/AABB1122CCDD3344 2024-01-15 [SC]
      1A2B3C4D5E6F7890AABB1122CCDD3344EEFF5566
uid   Rex Bytes <[email protected]>
ssb   rsa4096/9988776655443322 2024-01-15 [E]




Code language: HTML, XML (xml)
  • Long Key ID — used when signing packages (-k<KEYID>)
  • Fingerprint — the long hex string; used to identify your key in Launchpad
  • uid — must match an email address on your Launchpad account

Both the Key ID and Fingerprint are public and safe to share. The private key itself stays inside ~/.gnupg/.

1.2 Check existing SSH keys

ls ~/.ssh

Common public/private key pairs:

  • id_ed25519 / id_ed25519.pub
  • id_rsa / id_rsa.pub

Show the public key:

cat ~/.ssh/id_ed25519.pub




Code language: JavaScript (javascript)

The .pub file is safe to upload to Launchpad.

2. How to Create the Keys if You Don’t Have Them

2.1 Create a new GPG keypair

gpg --full-generate-key

Choose:

  • RSA and RSA
  • 4096 bits
  • Does not expire, or set your own expiration
  • Use the same name + email you use on Launchpad
  • Create a secure passphrase

List it afterwards:

gpg --list-secret-keys --keyid-format LONG




Code language: PHP (php)

Export the public key (useful for backup or manual sharing):

gpg --armor --export AABB1122CCDD3344 > my-public-key.asc




Code language: JavaScript (javascript)

2.2 Upload your GPG key to the Ubuntu keyserver

Launchpad fetches your GPG key from a public keyserver — it does not accept direct key uploads. You must publish your key to the Ubuntu keyserver:

gpg --keyserver keyserver.ubuntu.com --send-keys AABB1122CCDD3344




Code language: CSS (css)

Verify the upload succeeded:

gpg --keyserver keyserver.ubuntu.com --recv-keys AABB1122CCDD3344




Code language: CSS (css)

Note: Keyserver propagation can take a few minutes. If Launchpad can’t find your key right away, wait and retry.

2.3 Register the key with Launchpad

  1. Log in to https://launchpad.net/.
  2. Go to your profile → OpenPGP keys.
  3. Paste your full fingerprint (e.g. 1A2B 3C4D 5E6F 7890 AABB 1122 CCDD 3344 EEFF 5566) and click Import Key.
  4. Launchpad fetches the key from the keyserver and sends an encrypted verification email to the address in the key’s uid.
  5. Decrypt the email (your mail client or gpg --decrypt on the saved message), then click the confirmation link inside.
  6. Your key is now registered. You can upload signed packages.

Important: The email in your GPG uid must match a verified email address on your Launchpad account.

2.4 Create a new SSH keypair

ssh-keygen -t ed25519 -C "[email protected]"




Code language: JavaScript (javascript)

This generates:

  • ~/.ssh/id_ed25519 (private)
  • ~/.ssh/id_ed25519.pub (public)

Upload the .pub file to Launchpad.

3. How Launchpad Uses These Keys

Key TypePurposeRequired For
GPG keySigns source packages (.changes, .dsc)Uploading to a PPA
SSH keyAuthenticates you to LaunchpadGit pushes, secure access (not needed for PPA uploads)

How Launchpad validates a PPA upload

When you run:

dput ppa:rexbytes/example-ppa cmatrix_2.0-1~ppa1~rexbytes_source.changes

Launchpad checks:

  1. The upload is GPG-signed
  2. The GPG key fingerprint matches a key registered in your Launchpad account
  3. The email in debian/changelog matches an email attached to your Launchpad account
  4. The key’s uid email has been verified by Launchpad

If any of these fail, the upload is rejected.

4. Why the Keys Must Match

Launchpad uses your public keys to confirm:

  • The upload really came from you
  • The package is authentic
  • No one else can upload packages as you

If:

  • Your local GPG key ≠ Launchpad GPG key → uploads fail
  • Your local email ≠ Launchpad email → uploads fail
  • Your SSH key ≠ Launchpad SSH key → pushes are denied

Your local keys must match what Launchpad has registered.

5. How to Back Up Your Keys Safely

5.1 Back up GPG private keys

gpg --export-secret-keys --armor AABB1122CCDD3344 > gpg-private-backup.asc




Code language: JavaScript (javascript)

Also export subkeys:

gpg --export-secret-subkeys --armor AABB1122CCDD3344 > gpg-subkeys-backup.asc




Code language: JavaScript (javascript)

Backup your trust database (optional):

cp ~/.gnupg/trustdb.gpg ./trustdb-backup.gpg




Code language: JavaScript (javascript)

Store these backups in:

  • An encrypted USB stick
  • A password manager that supports files
  • A secure offline location

Never share the exported files.

5.2 Back up SSH keys

Back up:

  • ~/.ssh/id_ed25519
  • ~/.ssh/id_ed25519.pub
  • (optional) your known_hosts file

6. How to Restore Your Keys

6.1 Restore GPG keys

gpg --import gpg-private-backup.asc
gpg --import gpg-subkeys-backup.asc




Code language: JavaScript (javascript)

Ensure trust:

gpg --edit-key AABB1122CCDD3344





gpg> trust
(choose ultimate)
gpg> quit

Verify:

gpg --list-secret-keys --keyid-format LONG




Code language: PHP (php)

If fingerprints match Launchpad, you can upload again.

6.2 Restore SSH keys

Restore into:

  • ~/.ssh/id_ed25519
  • ~/.ssh/id_ed25519.pub

Fix permissions:

chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub




Code language: JavaScript (javascript)

7. How to Rotate Keys Safely

You may want to rotate keys because:

  • A key expired
  • A key was compromised
  • You want to upgrade to stronger crypto

7.1 Rotate a GPG key

  1. Generate a new keypair
  2. Add the public key to Launchpad
  3. Verify it (Launchpad emails you)
  4. Update your debian/changelog email address if needed
  5. Start signing builds with the new key:
debuild -S -k<NEW_KEYID>




Code language: HTML, XML (xml)

Optional but recommended — revoke the old key:

gpg --gen-revoke AABB1122CCDD3344 > revoke-AABB1122CCDD3344.asc




Code language: CSS (css)

Import the revocation into your local keyring and send the revoked key to the keyserver:

gpg --import revoke-AABB1122CCDD3344.asc
gpg --keyserver keyserver.ubuntu.com --send-keys AABB1122CCDD3344




Code language: CSS (css)

Launchpad fetches key updates from the keyserver automatically — it does not accept direct revocation uploads. There may be a delay before Launchpad reflects the revocation.

Important: Key revocation on keyservers is permanent and irreversible. Only revoke a key if you’re sure you no longer need it.

7.2 Rotate an SSH key

  1. Generate a new SSH key:
ssh-keygen -t ed25519 -C "[email protected]"




Code language: JavaScript (javascript)
  1. Add the new .pub file to Launchpad
  2. Remove the old SSH key from Launchpad

Summary

  • GPG keys sign packages → required for PPAs
  • SSH keys authenticate code pushes → optional for PPAs
  • Launchpad validates both keys by fingerprint
  • Local keys must match what Launchpad has
  • Always back up your keys
  • You can restore them anytime
  • You can rotate them safely when needed

Similar Posts

Leave a Reply