I am trying to verify my downloads from http://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64/ The 4 keys I typically install on my system are: Gentoo Linux Release Engineering (Automated Weekly Release Key), expires 2020-01-01 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910 Gentoo ebuild repository signing key (Automated Signing Key), expires 2020-01-01 DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D Gentoo repository mirrors (automated git signing key), expires 2020-01-01 EF95 38C9 E8E6 4311 A52C DEDF A13D 0EF1 914E 7A72 Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key), expires 2020-07-01 D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058 I have noticed that the files are now signed with a new key: 534E4209AB49EEE1C19D96162C44695DB9F6043D When I check these pages, the old key is not expired, and the new key is not listed: https://www.gentoo.org/downloads/signatures/ https://wiki.gentoo.org/wiki/Project:RelEng When I try to lookup the new key, it is also not listed on any of the PGP global directories I have tried: hkps.pool.sks-keyservers.net 502 Bad Gateway https://pgp.mit.edu/ 503 Service Temporarily Unavailable https://pgp.key-server.io 504 gateway timeout https://keyserver.pgp.com No results were found https://pgp.surfnet.nl/ No results were found http://hkps.pool.sks-keyservers.net/ 502 Bad Gateway $ wget http://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64/stage3-amd64-20190327T214503Z.tar.xz.DIGESTS.asc $ gpg --verify stage3-amd64-20190327T214503Z.tar.xz.DIGESTS.asc gpg: Signature made Wed 27 Mar 2019 09:05:29 PM MDT gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D gpg: Can't check signature: No public key
This is a subkey of the regular key: $ gpg --list-keys 534E4209AB49EEE1C19D96162C44695DB9F6043D pub rsa4096 2009-08-25 [SC] [expires: 2020-01-01] 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 uid [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sub rsa2048 2019-02-23 [S] [expires: 2020-01-01] You need to refresh keys, i.e.: $ gpg --refresh-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
unrestricting, no sec concerns here.