This page contains information on the current and past archive signing keys. The release files are signed by an automatic archive signing key in order to allow verification that software being downloaded has not been interfered with.
Please note that the details here are for information only, you should not rely on them and use other ways to verify them.
Which release should be signed with which key?
Stable releases are signed by both the ftp-master automatic archive signing key in use at the time of the release, and a per-release stable key. Release files for other releases (proposed-updates, testing, testing-proposed-updates, unstable and experimental) are signed only by the ftp-master automatic key.
The security archive is signed by the ftp-master key only.
The current procedure is that there is one ftp-master key per release (former procedure introduced a new key once per year).
Active Signing Keys
The past (2012/wheezy) key can be downloaded here
The fingerprint of this key is A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553.
The announcement regarding this key can be read at https://lists.debian.org/debian-devel-announce/2012/05/msg00000.html.
The Debian 8/jessie archive signing key has the fingerprint 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010.
The Debian 8/jessie security archive signing key has the fingerprint D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906.
See also the announcement for the Debian 8/jessie keys.
The Debian 9/stretch archive signing key has the fingerprint E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98.
The Debian 9/stretch security archive signing key has the fingerprint 6ED6 F5CB 5FA6 FB2F 460A E88E EDA0 D238 8AE2 2BA9.
See also the announcement for the Debian 9/stretch keys.
The Debian 10/buster archive signing key has the fingerprint 80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE.
The Debian 10/buster security archive signing key has the fingerprint 5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA.
See also the announcement for the Debian 10/buster keys.
The fingerprint of the squeeze stable release key is 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9
The fingerprint of the wheezy stable release key is ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764
Retired Signing Keys
The following retired and in most cases expired keys are available. Note that these keys are no longer in use and are listed here for reference purposes only:
Key Replacement Procedure
When the archive key is to be replaced, a new key will be generated by one of the ftpmasters. This key will then be signed by that ftpmaster and other ftpmasters and members of the ftpteam (including verification by phone call of the fingerprint and other details of the key to be signed).
Once the new key is prepared, it will be placed on this page, put into the relevant archive packages and announced to debian-devel-announce well in advance of being used.
Key Revocation Procedure
The ftp masters at the time of the key generation are designated revokers and can revoke the key if required.
Key Backup / Restore Procedure
After the creation of the archive key, the secret part of it will be backed up in one additional way. The program gfshare (package libgfshare-bin) (a Shamir's secret sharing scheme implementation) is used to produce 5 shares of which 3 are needed to recover the secret key.
The following people each hold one of the shares of the private key.
Key shares for 9/stretch keys
3 of the 5 shares are needed to reproduce the secret key
|gwolf||Gunnar Eyal Wolf Iszaevich|
Debian FTP team