Debian Archive Signing Key to be changed

May 23rd, 2009

The Debian Project wishes to announce the change of the GNU Privacy Guard key used to digitally sign its archive reference files. Signatures are used to ensure that packages installed by users are the very same originally distributed by Debian, and have not been exchanged or tampered with.

Affected distributions are the Debian unstable branch (codenamed Sid) as well as the testing branch (codenamed Squeeze). The current stable version Debian GNU/Linux 5.0 (codenamed Lenny) and the current oldstable version Debian GNU/Linux 4.0 (codenamed Etch) will have their ftpmaster signature updated too. The release managers signature stays untouched. The currently used key will expire soon. The new key has already been distributed via the debian-archive-keyring package. For users of the current stable release Debian GNU/Linux 5.0 (codenamed Lenny) no action is required from the user side, since Debian GNU/Linux 5.0 (codenamed Lenny) was already shipped with the new key. Users of the current oldstable release Debian GNU/Linux 4.0 (codenamed Etch) should ensure to have upgraded to the latest point release 4.0r8 which added an upgraded package containing the new key. Users of Debian's testing branch (codenamed Squeeze) and Debian's unstable branch (codenamed Sid) should ensure to have at least version 2009.01.31 of the debian-archive-keyring package installed.

Starting with the next mirror update this evening and for the next three weeks the archive will be digitally signed by both the old and the new key. Starting with the 13th of June only the new key will be used.

For reference, the old key is:

  pub   1024D/6070D3A1 2006-11-20 [expires: 2009-07-01]
  uid                  Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>

And the new one is:

  pub   4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
  uid                  Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>

This key rollover is a normal maintenance task and was started in January. For security reasons Debian's archive signing keys regularly expire after three years.

About Debian

The Debian project is an organisation of many developers who volunteer their time and effort, collaborating via the Internet. Their tasks include maintaining and updating Debian GNU/Linux which is a free distribution of the GNU/Linux operating system. Debian's dedication to Free Software, its non-profit nature, and its open development model makes it unique among GNU/Linux distributions.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/ or send mail to <press@debian.org>.