New PGP signing key?

Tritonio · March 21, 2025, 10:53am

Older key:

pub   rsa4096 2022-12-19 [SC] [expires: 2032-12-16]
      10A714FCA3C829A605E686A5C479D18E038EAF42
uid           [ unknown] Brave Checksums Release (Brave Checksums Release) <[email protected]>

New key:

pub   rsa4096 2025-03-11 [SC] [expires: 2035-03-09]
      7FE68A2E3754FA350A45F0AB68E5C22615F0E249
uid           [ unknown] Brave Checksums Release (Brave Checksums Release) <[email protected]>

Should we delete the old key or should we still trust it? If the old still trustworthy, why was a new one created?

289wk · March 28, 2025, 4:07am

Please edit your Original Post (“OP”) above, in order to include:

Brave Browser version numbers
Operating System version numbers

Please describe what the keys pertain to (a certificate?, an installer?), and where you find them - in detail.

Tritonio · March 28, 2025, 1:38pm

This is not specific to my OS or Browser version.

The zip files you distribute for Linux distros here: https://github.com/brave/brave-browser/releases/tag/v1.76.82 are now signed with the new PGP/GPG key, while the previous versions were using the older key. Both keys can be found here: https://brave.com/signing-keys/#checksums-release-channel

I’m just trying to confirm that the change is intentional, and I’d also like to know if we should now stop trusting the older key. (Perhaps you changed keys because it was compromised? Or did you just lose the old one? Because the key strength is the same so I’m not sure why you’d change keys.)

Saoiray · March 28, 2025, 1:58pm

@Mattches you have any clues?

fmarier · March 28, 2025, 6:02pm

This change was indeed intentional. We added redundancy in order to continue to be able to sign new Linux binaries should the AWS HSM fail. Unfortunately, it was not possible to turn an existing key into a multi-region key. So both keys are okay and neither is compromised.

If you are using our official packages, then you shouldn’t have to change anything since the brave-keyring package will handle key rotations automatically for you. If you are verifying packages manually, then you can safely keep both keys in your keyring.

Tritonio · March 28, 2025, 8:46pm

Thank you for the explanation! I am on a distro that you don’t release packages for so I’ve made my own GPG verification and installation script to upgrade Brave.

fmarier · March 28, 2025, 8:57pm

@Tritonio Which distro is that if you don’t mind me asking?

Tritonio · March 28, 2025, 10:28pm

Void Linux! It’s not based on any other distro, rolling but very stable, runit instead of systemd, top rated in distrowatch, and packaging AFAIK is easily done, e.g this way for Firefox. Brave installed from the zipfile runs awesomely on it.

fmarier · March 28, 2025, 11:48pm

Cool. That’s one we’ve already started thinking about:

Topic		Replies	Views
LINUX users: Please update your Linux repos Browser Support	2	7923	April 12, 2019
New GPG key for Debian derived Linux users Browser Support linux	2	2973	March 8, 2020
[Solved] NO_PUBKEY A8580BDC82D3DC6C remains Desktop Support linux	2	2101	March 21, 2024
Missing public key for Linux updates Desktop Support linux	5	3207	January 26, 2021
Hai, I Just started using Linux (Ubuntu) and i installed brave few days ago. I always get this error when i try to update or upgrade my OS/Software Desktop Support linux	2	547	August 16, 2021
How to update fix the signiture key Desktop Support linux	2	584	October 14, 2020
No_pubkey a8580bdc82d3dc6c Desktop Support linux	4	5438	March 3, 2022
[HELP] An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://brave-browser-apt-release.s3.brave.com bionic InRelease: The following signatures were invalid Desktop Support linux	5	12967	May 6, 2019

New PGP signing key?

Related topics