Release media signatures

Our current releases are signed with either of these keys or any sub keys:

Key ID/Type/Fingerprint Description Created Expiry
0xBB572E0E2D182910 (4096-bit RSA)
13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
Gentoo Linux Release Engineering (Automated Weekly Release Key) 2009-08-25 2019-08-22
0xDB6B8C1F96D8BF6D (4096-bit RSA)
DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
Gentoo Portage Snapshot Signing Key (Automated Signing Key) 2011-11-25 2018-07-01
0x9E6438C817072058 (1024-bit DSA)
D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058
Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) 2004-07-20 2018-07-01

Verifying files

To verify downloaded files are not tampered with, you need the .DIGESTS file matching your release and the matching key from the table above.

Fetch the key:

gpg --keyserver --recv-keys <key id>

Verify the DIGESTS file:

gpg --verify <foo.DIGESTS.asc>

Verify the download matches the digests. At least one of the following will exist:

sha512sum -c <foo.DIGESTS.asc>

sha256sum -c <foo.DIGESTS.asc>

sha1sum -c <foo.DIGESTS.asc>

Detailed instructions are available in the Gentoo Handbook.