Release media signatures

Our current releases are signed with either of these keys or any sub keys:

Key ID/Type/Fingerprint Description Created Expiry
0xBB572E0E2D182910 (4096-bit RSA)
13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
Gentoo Linux Release Engineering (Automated Weekly Release Key) 2009-08-25 2020-01-01
0xDB6B8C1F96D8BF6D (4096-bit RSA)
DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
Gentoo ebuild repository signing key (Automated Signing Key) 2011-11-25 2020-01-01
0xA13D0EF1914E7A72 (4096-bit RSA)
EF95 38C9 E8E6 4311 A52C DEDF A13D 0EF1 914E 7A72
Gentoo repository mirrors (automated git signing key) 2018-05-28 2020-01-01
0x9E6438C817072058 (1024-bit DSA)
D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058
Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) 2004-07-20 2020-07-01
0x2839FE0D796198B1 (2048-bit RSA)
ABD0 0913 019D 6354 BA1D 9A13 2839 FE0D 7961 98B1
Gentoo Authority Key L1 2019-04-01 2020-01-01
0x55D3238EC050396E (2048-bit RSA)
18F7 03D7 02B1 B959 1373 148C 55D3 238E C050 396E
Gentoo Authority Key L2 for Services 2019-04-01 2020-01-01
0x30D132FF0FF50EEB (2048-bit RSA)
2C13 823B 8237 310F A213 0349 30D1 32FF 0FF5 0EEB
Gentoo Authority Key L2 for Developers 2019-04-01 2020-01-01

Verifying files

To verify downloaded files are not tampered with, you need the .DIGESTS file matching your release and the matching key from the table above.

Fetch the key:

gpg --keyserver --recv-keys <key id>

Verify the DIGESTS file:

gpg --verify <foo.DIGESTS.asc>

Verify the download matches the digests. At least one of the following will exist:

sha512sum -c <foo.DIGESTS.asc>

sha256sum -c <foo.DIGESTS.asc>

sha1sum -c <foo.DIGESTS.asc>

Detailed instructions are available in the Gentoo Handbook.