|
| 1 | +--- |
| 2 | +category: announcement |
| 3 | +permalink: /news/key-transition-2018 |
| 4 | +title: "New key for signing Scala releases" |
| 5 | +--- |
| 6 | + |
| 7 | +-----BEGIN PGP SIGNED MESSAGE----- |
| 8 | +Hash: SHA256 |
| 9 | + |
| 10 | + |
| 11 | +From today, 2018-02-13, we will sign Scala release artifacts with a [new 4096-bit key](http://pgp.mit.edu/pks/lookup?op=vindex&search=0xA9052B1B6D92E560) with fingerprint `3D3A 4396 458F D629 DEAE 0F88 E9DF 618B B41F 2BCE`. |
| 12 | + |
| 13 | +Our old 2048-bit key [B41F2BCE](http://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9DF618BB41F2BCE), originally created on 2013-04-30, will no longer be used. |
| 14 | + |
| 15 | +The team member responsible for a new Scala release will continue to use their personal key to sign the git tag from which the release is built. |
| 16 | + |
| 17 | +<!-- break --> |
| 18 | + |
| 19 | +To fetch the full key from a public key server: |
| 20 | + |
| 21 | +``` |
| 22 | +gpg --keyserver keys.riseup.net --recv-key "3D3A 4396 458F D629 DEAE 0F88 E9DF 618B B41F 2BCE" |
| 23 | +``` |
| 24 | + |
| 25 | +To verify the signatures on this new key (signed by the old key, as well as the core team members): |
| 26 | + |
| 27 | +``` |
| 28 | +gpg --check-sigs "3D3A 4396 458F D629 DEAE 0F88 E9DF 618B B41F 2BCE" |
| 29 | +``` |
| 30 | + |
| 31 | +The [original markdown](https://raw.githubusercontent.com/scala/scala-lang/master/_posts/2018-02-13-key-transition.md) for this post was signed with both keys (`gpg -u B41F2BCE -u 6D92E560 --clearsign 2018-02-13-key-transition.md`). Verify with `curl -s https://raw.githubusercontent.com/scala/scala-lang/master/_posts/2018-02-13-key-transition.md | gpg --verify`. |
| 32 | + |
| 33 | +This announcement was modeled after [https://riseup.net/en/security/message-security/openpgp/key-transition](https://riseup.net/en/security/message-security/openpgp/key-transition), which provides further background. |
| 34 | + |
| 35 | +-----BEGIN PGP SIGNATURE----- |
| 36 | + |
| 37 | +iQEzBAEBCAAdFiEE5oU9N+6jHB8i3J2TWhb/oyAtNkYFAlqDGWUACgkQWhb/oyAt |
| 38 | +NkauQwgAhW5U46A5Dhw5xAmypbkDjZD6Y6sm0iLPz+8qqMzaXt3cOqcFOpUhv3iG |
| 39 | +gQPOECBc9YztH5A3TfetmUEJ7ZGCTyWubiHDg/FTdjvIXZtKy24bjSBU7mdblk/e |
| 40 | +nw8L/W6MfMZ5sbxNcezLko6jZhPeTXxgJb6BVOqNESOfJ2mVgrCwTmbPVsx/Bh+q |
| 41 | +MBV35GauAq5X7rrpq1JssPuC2fbO9kg7+2jpjE0cS7vuNY+gfBGSCJVBW8Ykceb5 |
| 42 | +rJVP8z93Bc8Mr1vj+WyVLGcUtYz0KWtQt2B7xBSIRKFfDSFivuG0LTuBkJdQaDKj |
| 43 | +9Ry3wsQnTaxK5GUHBCN4PXniIREHo4kCMwQBAQgAHRYhBIbaQaXhaZyc6+lkqKkF |
| 44 | +KxttkuVgBQJagxllAAoJEKkFKxttkuVgxdsQAJHd652ayRg5sIhmbOzhp0BrIJht |
| 45 | +AGoTEe6/5TB43POXACAhgPKz2k77J5ypZqRnd+mZe23kGihfyYU75sLX5IBBfWhk |
| 46 | +JHjAFq9JWHx4eFtp50ByIVFPo8yPc01p+jeDOoomjLIqqyOMRxJS9XJaxCa8WNtO |
| 47 | +4X/uBJbsZ0xzCq/+nmncIMyf967Vt6WtKOAbzCdWiHM+r7ZGRQT72mYfcCii3Mx0 |
| 48 | +iw8medQ2UWmn8nTWnD/YGT5jpHjCDYHOCDXTY1r1wVium2gR4TslE9p6Eutgi+8W |
| 49 | +epxgG68j/8zHPR3YbYz7s5pQT2ubVS87PFumAVI3iYhAM6pOgpEchtJx5DL6+8le |
| 50 | +5J+rz/cdDZ9jhGFeU0QZhHAdf5f02DOdEkMlFJWoi9ChwV0wh20fXx1a7Ck8lbBl |
| 51 | +XyXepAWFzpcqwiUtgdwWQlU2cvBe1CYLboGZe4Y885uOz5qKKCClQprFe5lg3qCV |
| 52 | +8ufXK7BcxZxhxDQDgxPrFmTmp/Tia1s54kJj30+OQIZ3PtVV5p+1BDpz1/b2t2jg |
| 53 | ++xUx1Qj0WI4jMscFH1Bq3M4XXOzjIP2yqeHnWZsgDK0Nup9EEPwrVjyKEnBl9eX8 |
| 54 | +NzVe6sgN72PhhLTp9bh3gz6biDHl8qvpI9uK28RUcEyKr5vGen3l/fD9nMLWSh/s |
| 55 | +kXp5o03oFmSnzKNX |
| 56 | +=HKxi |
| 57 | +-----END PGP SIGNATURE----- |
0 commit comments