DPA New Signing Key

I was informed that the current DPA signing key DF3D585DB8F0EB658690A554AC0E47584A7A714D was present on the server maintained by an other user of the repositories that got compromised. I do not believe that the users of the packages.sury.org repositories are at any risk because launching attack on the APT repositories using a compromised key would require also attacking other components in the path (HTTPS certificate and DNSSEC), but nevertheless, I have generated a new GPG key to sign the repositories with: 15058500A0235D97F5D10063B188E2B695BD4743. To verify the authenticity of the new key, you can check that there's a signature from my personal signing key: 30B9 33D8 0FCE 3D98 1A2D  38FB 0C99 B70E F4FC BB07.

To update the APT signing key, you can download the new key from the respective repositories, f.e. for the PHP, you would do:

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

This doesn't affect any of the Launchpad PPAs, only the Debian packages hosted at packages.sury.org.

Tier Benefits
Recent Posts