The work of a packager potentially ends up on thousands of machines all over the world, sometimes running with root permissions. A misbehaving package can break these machines. So an administrator installs only packages that were signed with GPG keys, from signed repositories, in order that she may find out who packaged them if necessary.

Using GPG is well described in the GnuPG documentation. If the concept is entirely new to you, you may want to start at The GNU privacy Handbook. The rest of this document assumes that you've created a keypair, put it on a keyserver, and joined a few keysigning parties so your key is embedded in the Web of Trust.

Want to skip the docs?

There, you 're done. But you really shouldn't.

For packaging in particular, it is useful, though not necessary, to maintain multiple subkeys, and using a subkey for signing packages. This allows for the package signing subkey to be copied permanently to the machine on which packages are built, while the master key can remain offline in a more secure location. Please follow the steps in these Debian docs on the why and how of using subkeys for package signing.

	Note
	After you delete the master private key from your keyring but not from the USB stick in your bombproof safe, it is easy to change the 100-character password on the remaining private key to a somewhat less secure one that can be typed more quickly.

You may also want to read about the following topics...