Something of a yearly ritual, that of updating GPG (signing-)keys and pushing them to various places.

I use my GPG keys for three main purposes:

  • signing email, so you know it comes from me,
  • signing Calamares releases, so you know they come from me,
  • signing FreeBSD things, so you know they come from me.

That means the keys need to be kept up-to-date, and expiry dates refreshed periodically, and then the keys published and updated and all. Which, if I had better calendar-discipline, would go without speaking. But I don’t, so here’s a couple of notes:

  • you can find my pubkey published on my personal and business sites,
  • Calamares in 2024 was signed by a confused mess of GPG keys. All of the signatures came from a key of mine, and all are good, but I used the keys inconsistently and sometimes used an expired one. I wrote about it on FOSStodon when I spotted it.
    • The release announcements for Calamares mention specific key-IDs, even though different key-IDs were used for the actual signature. The latest release, 3.3.14, matches the announced key-ID for signing with the actual signature.
    • I think 3.3.11 is signed with a key that was actually expired at the time. It does match the published key-ID with the signature, though.
    • In the first half of 2025, the expected signing key-ID is 6D98, which is published on my websites.
    • I have just updated the history-of-Calamares-signing list at the bottom of the about-Calamares page.
  • FreeBSD signature information is used rarely, but is available in the FreeBSD developers OpenPGP keys list. It is the same pubkey as on my website, and which is used for Calamares.