The GPG key used to sign our Debian/Ubuntu archives at
deb.theforeman.org is being updated and all such users should install
the new GPG key. In short, this can be done by running:
curl
"https://pgp.mit.edu/pks/lookup?op=get&search=0xAE0AF310E2EA96B6B6F4BD726F8600B9563278F6"
> sudo apt-key add -
As of 2016-04-08, both the existing and new key are being used to sign
our archives until around 2016-06-30, when the old one expires.
If you'd like to verify the key, more information is below:
Key ID: 0x563278F6
Fingerprint: AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
The public key on the keyserver has signatures from myself (key ID
0x2C2B72CC) and the existing 2014 key (key ID 0x1AA043B8), and this
e-mail is also signed by me. To verify the new key using the old key,
you can run something like:
- apt-key export 1AA043B8 | gpg --import
- curl
"https://pgp.mit.edu/pks/lookup?op=get&search=0xAE0AF310E2EA96B6B6F4BD726F8600B9563278F6"
> gpg --import - gpg --check-sigs 563278F6
- verify that "sig!" is listed next to 1AA043B8, the 2014 key. "sig-"
indicates a bad signature. - gpg --export 563278F6 | sudo apt-key add -
It is also listed on our website (sorry, still no HTTPS at the moment):
Foreman :: Security (source:
https://github.com/theforeman/theforeman.org/blob/gh-pages/security.md#gpg-keys)
and at http://deb.theforeman.org/pubkey.gpg.
Please reply to foreman-users if you have any questions.
···
Name: Foreman Automatic Signing Key (2016)–
Dominic Cleal
dominic@cleal.org