We have a number of signing keys used for signing software releases. There are a number of different keys because there are a number of different ways of signing software. This list aims to be the comprehensive list of all the release signing keys that we use.

OpenPGP

We sign all of our releases using OpenPGP detached binary signatures in a .sig file.

People signing official releases

Keys from the build servers

Launchpad Ubuntu Package Archive (PPA)

For easy installation on Ubuntu/Mint/etc. of our official releases, as well as backported software that we use, we have an Launchpad PPA with its own signing key provided by Launchpad:

Android APK

We currently have two signing keys: a 4096-bit RSA key used for all new apps, and a 1024-bit RSA key that we use for all apps that we first released before 2014. You can download the whole public keys and verify it using the OpenPGP signature:

4096-bit RSA

1024-bit RSA

FDroid Repo

Our official releases are also posted on our own FDroid repo, which is accessible at https://guardianproject.info/fdroid/repo. The signing key for that repo is available here:

The fingerprints for this signing key are:

Owner: EMAILADDRESS=root@guardianproject.info, CN=guardianproject.info, O=Guardian Project, OU=FDroid Repo, L=New York, ST=New York, C=US
Issuer: EMAILADDRESS=root@guardianproject.info, CN=guardianproject.info, O=Guardian Project, OU=FDroid Repo, L=New York, ST=New York, C=US
Serial number: a397b4da7ecda034
Valid from: Thu Jun 26 15:39:18 EDT 2014 until: Sun Nov 10 14:39:18 EST 2041
Certificate fingerprints:
 MD5:  8C:BE:60:6F:D7:7E:0D:2D:B8:06:B5:B9:AD:82:F5:5D
 SHA1: 63:9F:F1:76:2B:3E:28:EC:CE:DB:9E:01:7D:93:21:BE:90:89:CD:AD
 SHA256: B7:C2:EE:FD:8D:AC:78:06:AF:67:DF:CD:92:EB:18:12:6B:C0:83:12:A7:F2:D6:F3:86:2E:46:01:3C:7A:61:35
 Signature algorithm name: SHA1withRSA
 Version: 1

6 thoughts on “Signing Keys

  • 2014/07/04 at 9:57 pm
    Permalink

    The key ID in the link for Nathan’s key does not match the fingerprint shown on the page. The link retrieves info for a revoked key.

    Reply
    • 2014/07/07 at 12:15 pm
      Permalink

      Thanks for catching that! I updated the link. The printed out fingerprint was the correct key, which I have signed with my key.

      Reply
  • 2014/07/26 at 2:47 am
    Permalink

    Is it just me or are all the public key links (People signing official releases and Keys from the build servers) leading to error pages (not found)? Also the only still valid keys I found on a key server (pool.sks-keyservers.net) was Hans’, both Nathan’s and Abel’s keys have been revocated. I’m searching for the public key for this signature: https://f-droid.org/repo/org.torproject.android_109.apk.asc

    Reply
    • 2014/07/28 at 10:45 pm
      Permalink

      Sounds like you are downloading old keys of ours. Be sure that you are downloading the keys matching our key IDs. There are multiple matches for our email addresses, including some of our old, revoked keys.

      Reply
    • 2015/05/28 at 4:39 pm
      Permalink

      The fingerprint listed on https://guardianproject.info/fdroid/ is the same as what I’m seeing in my FDroid:

      B7 C2 EE FD 8D AC 78 06 AF 67 DF CD 92 EB 18 12 6B C0 83 12 A7 F2 D6 F3 86 2E 46 01 3C 7A 61 35
      B7:C2:EE:FD:8D:AC:78:06:AF:67:DF:CD:92:EB:18:12:6B:C0:83:12:A7:F2:D6:F3:86:2E:46:01:3C:7A:61:35
      
      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>