Debian and Red Hat Signing Key Set to Expire

I don’t think I’ve seen this mentioned anywhere else yet, so I thought I’d bring it up.

It looks like the package signing key for both the Debian and Red Hat packages (as referenced from Linux) is set to expire very soon, March 30, 2023. This is the key downloaded from https://pkg.jenkins.io/debian/jenkins.io.key or https://pkg.jenkins.io/redhat/jenkins.io.key (or the stable versions of those repositories), which appears to be the same at all 4 locations (as verified by SHA-256).

I’m not exactly sure what happens once we pass the expiration date, but I imagine it’s not good things. We should look at rotating the key ASAP and publishing that it’s been updated. I’m not sure if existing users of the APT/RPM repositories will need to manually import the new key or not.

There’s an open ticket at the infrastructure helpdesk to track progress.
You are welcome to subscribe to it to receive notifications about the progress.

Perfect! Glad to see that it’s already been noticed (and several months back at that) and is being worked on. Thanks @NotMyFault!

I think that’s a different signing key than the signing key that is used to sign the MSI installer. Thanks for reporting that. We’ll work on it.

Oh, good point. There’ve been various questions about code signing recently. Therefore, I assumed mtughan referred to the ongoing task we already track.

I filed a dedicated issue regarding the PGP keys for redhat and debian. You’re welcome to subscribe to it too, to keep yourself up-to-date @mtughan

Thanks for filing that, @NotMyFault. I’m subscribed to both tickets now.

Thanks @MarkEWaite for noticing that these were different. I had missed that 3323 was specifically for MSI signing and not for GPG signing, so it’s good that we’re all on the same page now.