This page contains information on the current and past archive signing keys. The release files are signed by an automatic archive signing key in order to allow verification that software being downloaded has not been interfered with.

Please note that the details here are for information only, you should not rely on them and use other ways to verify them.

Which release should be signed with which key?

Stable releases are signed by both the ftp-master automatic archive signing key in use at the time of the release, and a per-release stable key. Release files for other releases (proposed-updates, testing, testing-proposed-updates, unstable and experimental) are signed only by the ftp-master automatic key.

The security archive is signed by the ftp-master key only.

The current procedure is that there is one ftp-master key per release (former procedure introduced a new key once per year).

Archive Keys

Active Signing Keys

• The Debian 9/stretch archive signing key has the fingerprint E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98.

  The Debian 9/stretch security archive signing key has the fingerprint 6ED6 F5CB 5FA6 FB2F 460A E88E EDA0 D238 8AE2 2BA9.

  See also the announcement for the Debian 9/stretch keys.

• The Debian 10/buster archive signing key has the fingerprint 80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE.

  The Debian 10/buster security archive signing key has the fingerprint 5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA.

  See also the announcement for the Debian 10/buster keys.

• The Debian 11/bullseye archive signing key has the fingerprint 1F89 983E 0081 FDE0 18F3 CC96 73A4 F27B 8DD4 7936.

  The Debian 11/bullseye security archive signing key has the fingerprint AC53 0D52 0F2F 3269 F5E9 8313 A484 4904 4AAD 5C5D.

  See also the announcement for the Debian 11/bullseye keys.

• The Debian 12/bookworm archive signing key has the fingerprint B8B8 0B5B 623E AB6A D877 5C45 B7C5 D7D6 3509 47F8.

  The Debian 12/bookworm security archive signing key has the fingerprint 05AB 9034 0C0C 5E79 7F44 A8C8 254C F3B5 AEC0 A8F0.

  See also the announcement for the Debian 12/bookworm keys.

Stable Keys

• The fingerprint of the Debian 9/stretch release key is 067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500
• The fingerprint of the Debian 10/buster release key is 6D33 866E DD8F FA41 C014 3AED DCC9 EFBF 77E1 1517
• The fingerprint of the Debian 11/bullseye release key is A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793
• The fingerprint of the Debian 12/bookworm release key is 4D64 FEC1 19C2 0290 67D6 E791 F8D2 585B 8783 D481

Retired Signing Keys

The following retired and in most cases expired keys are available. Note that these keys are no longer in use and are listed here for reference purposes only:

• /keys/ziyi_key_2002.asc (revocation)
• /keys/ziyi_key_2003.asc (revocation)
• /keys/ziyi_key_2003v2.asc (revocation)
• /keys/ziyi_key_2004.asc (revocation)
• /keys/ziyi_key_2005.asc (revocation)
• /keys/ziyi_key_2006.asc (revocation)
• /keys/archive-key-4.0.asc (revocation)
• /keys/archive-key-5.0.asc (revocation)
• /keys/archive-key-6.0.asc (revocation)
• /keys/release-6.asc
• /keys/archive-key-7.0.asc (revocation)
• /keys/release-7.asc
• /keys/archive-key-8.asc (revocation)
• /keys/archive-key-8-security.asc (revocation)
• /keys/release-8.asc

Upload Processing Keys

The following keys are used to sign mails sent by the archive software. They must not be used by APT.

• debian-archive-processing-2022.asc
• debian-security-archive-processing-2022.asc

Key Replacement Procedure

When the archive key is to be replaced, a new key will be generated by one of the ftpmasters. This key will then be signed by that ftpmaster and other ftpmasters and members of the ftpteam (including verification by phone call of the fingerprint and other details of the key to be signed).

Once the new key is prepared, it will be placed on this page, put into the relevant archive packages and announced to debian-devel-announce well in advance of being used.

Key Revocation Procedure

The ftp masters at the time of the key generation are designated revokers and can revoke the key if required.

Key Backup / Restore Procedure

After the creation of the archive key, the secret part of it will be backed up in one additional way. The program gfshare (package libgfshare-bin) (a Shamir's secret sharing scheme implementation) is used to produce 5 shares of which 3 are needed to recover the secret key.

See scripts/debian/generate-archive-key for who has recovery shares; check the historic version for older keys.