Reminder - our Debian archive GPG key has changed and the old key will
stop being used to sign our archives in about a week's time, due to its
expiry. Please ensure you've updated using the instructions below.
The GPG key used to sign our Debian/Ubuntu archives at
deb.theforeman.org is being updated and all such users should install
the new GPG key. In short, this can be done by running:
curl https://deb.theforeman.org/pubkey.gpg | sudo apt-key add -
As of 2016-04-08, both the existing and new key are being used to sign
our archives until around 2016-06-30, when the old one expires.
If you’d like to verify the key, more information is below:
Key ID: 0x563278F6
Fingerprint: AE0A F310 E2EA 96B6 B6F4 BD72 6F86 00B9 5632 78F6
Name: Foreman Automatic Signing Key (2016) firstname.lastname@example.org
The public key on the keyserver has signatures from myself (key ID
0x2C2B72CC) and the existing 2014 key (key ID 0x1AA043B8), and this
e-mail is also signed by me. To verify the new key using the old key,
you can run something like:
- apt-key export 1AA043B8 | gpg --import
- curl https://deb.theforeman.org/pubkey.gpg | gpg --import
- gpg --check-sigs 563278F6
- verify that “sig!” is listed next to 1AA043B8, the 2014 key. "sig-"
indicates a bad signature.
- gpg --export 563278F6 | sudo apt-key add -
It is also listed on our website at Foreman :: Security
and at https://deb.theforeman.org/pubkey.gpg
Please reply to foreman-users if you have any questions.