The PGP/GnuPG key used for signing Git tags and reporting security
bugs in an encrypted way is the key
0x2517B724C5F6CA9953296E612FF9CD59612616B5 (or its most recent
subkey).
This key is included in Debian’s official keyring, i.e. in available
in the file /usr/share/keyrings/debian-keyring.gpg of the
Debian package debian-keyring
(Version 2015.01.26 or higher, i.e. the versions available on Debian 8
“Jessie” and newer). On any Debian installation (Release 9 “Jessie” or
newer), you can retrieve that key as follows:
apt install debian-keyring (as root)gpg --keyring /usr/share/keyrings/debian-keyring.gpg --export -a 0x2517B724C5F6CA9953296E612FF9CD59612616B5You also might want to verify the signatures:
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-sigs 0x2517B724C5F6CA9953296E612FF9CD59612616B5But having fetched it via apt, it’s indirectly signed by the very
same PGP keys which also verify all retrieved packages before
installation.
If you trust the SSL certificates used on Debian’s web servers, you
can also
download this key directly from debian-keyring’s official Git repository over HTTPS
(hosted on an official Debian-maintained .debian.org server) or
download this key from the latest debian-keyring package over HTTPS from sources.debian.net.
(Please note that while the .debian.net is operated by the Debian
Project, the individual hosts are usually not operated by the Debian
Project but by a Debian Member or Contributor.)