Release media signatures
Our current releases are signed with either of these keys or any sub keys:
| Key Fingerprint | Description | Created | Expiry |
|---|---|---|---|
| 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 | Gentoo Linux Release Engineering (Automated Weekly Release Key) | 2009-08-25 | 2022-07-01 |
| DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D | Gentoo ebuild repository signing key (Automated Signing Key) | 2011-11-25 | 2022-07-01 |
| EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72 | Gentoo repository mirrors (automated git signing key) | 2018-05-28 | 2022-07-01 |
| D99EAC7379A850BCE47DA5F29E6438C817072058 | Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) | 2004-07-20 | 2022-01-01 |
| ABD00913019D6354BA1D9A132839FE0D796198B1 | Gentoo Authority Key L1 | 2019-04-01 | 2022-07-01 |
| 18F703D702B1B9591373148C55D3238EC050396E | Gentoo Authority Key L2 for Services | 2019-04-01 | 2022-07-01 |
| 2C13823B8237310FA213034930D132FF0FF50EEB | Gentoo Authority Key L2 for Developers | 2019-04-01 | 2022-07-01 |
Verifying files
To verify downloaded files are not tampered with, you need the .DIGESTS file matching your release and the matching key from the table above.
Fetch the key:
gpg --keyserver hkps://keys.gentoo.org --recv-keys <key fingerprint>
Alternatively, you can fetch a bundle containing all listed keys:
wget -O - https://qa-reports.gentoo.org/output/service-keys.gpg | gpg --import
Verify the DIGESTS file:
gpg --verify <foo.DIGESTS.asc>
Verify the download matches the digests. At least one of the following will exist:
sha512sum -c <foo.DIGESTS.asc>
sha256sum -c <foo.DIGESTS.asc>
sha1sum -c <foo.DIGESTS.asc>
Detailed instructions are available in the Gentoo Handbook.