Reminder: Debian archive GPG key updated for 2016

Reminder - our Debian archive GPG key has changed and the old key will
stop being used to sign our archives in about a week's time, due to its
expiry. Please ensure you've updated using the instructions below.

··· ===

The GPG key used to sign our Debian/Ubuntu archives at
deb.theforeman.org is being updated and all such users should install
the new GPG key. In short, this can be done by running:

curl https://deb.theforeman.org/pubkey.gpg | sudo apt-key add -

As of 2016-04-08, both the existing and new key are being used to sign
our archives until around 2016-06-30, when the old one expires.

If you’d like to verify the key, more information is below:

Key ID: 0x563278F6
Fingerprint: AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
Name: Foreman Automatic Signing Key (2016) packages@theforeman.org

The public key on the keyserver has signatures from myself (key ID
0x2C2B72CC) and the existing 2014 key (key ID 0x1AA043B8), and this
e-mail is also signed by me. To verify the new key using the old key,
you can run something like:

  1. apt-key export 1AA043B8 | gpg --import
  2. curl https://deb.theforeman.org/pubkey.gpg | gpg --import
  3. gpg --check-sigs 563278F6
  4. verify that “sig!” is listed next to 1AA043B8, the 2014 key. "sig-"
    indicates a bad signature.
  5. gpg --export 563278F6 | sudo apt-key add -

It is also listed on our website at Foreman :: Security
and at https://deb.theforeman.org/pubkey.gpg

Please reply to foreman-users if you have any questions.


Dominic Cleal
dominic@cleal.org