-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Tarsnap users and alphatesters,
While testing the Debian package-building process, the 2017 .deb package signing key was accidentally copied from the build system (an airgapped system with encrypted disk) onto the unencrypted USB stick used for transferring files to the outside world. While it was never published anywhere, and the disk has since been overwritten, the key in question should never have been written to an unencrypted disk in the first place; so I've declared it "compromised" and generated a new 2017 .deb package signing key. You can see the revocation certificate for the old key, and the replacement key, in the github tarsnap-public-keys repository: https://raw.githubusercontent.com/Tarsnap/tarsnap-public-keys/master/keys-pack aging/tarsnap-deb-packaging-key-2017-revoke.asc https://raw.githubusercontent.com/Tarsnap/tarsnap-public-keys/master/keys-pack aging/tarsnap-deb-packaging-key-2017b.asc Since we have not yet released any non-experimental .deb packages, nothing has been signed with the key in question (which made the decision to replace it much easier), but anyone who installed the experimental tarsnap .deb package after January 11th will have the tarsnap-archive-keyring_0.2 package installed, including the now-revoked key. (According to my server logs, there are 21 such people.) If you have installed tarsnap experimental .deb packages, you should update your installed packages now in order to get tarsnap-archive-keyring_0.4, which has the new key. (For the morbidly curious: Two things went wrong in order to make this key get accidentally copied to the USB stick. First, keys were left in the package-building script's "input" directory after the builds completed; I keep the package-build input and output directories for future reference, but I have now updated the script to remove the keys after a build finishes. Second, I simply typoed a command, and copied out the build *input* instead of the build *output*; alas, preventing wetware bugs is difficult, but I'll try to be more careful in the future.) Sorry about the mixup, - -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- iHMEARECADMWIQTq9Iu6fMd6MP78Dak4zsppDGpqbgUCWJa0iBUcY3BlcmNpdmFA dGFyc25hcC5jb20ACgkQOM7KaQxqam73QgCbBeUa96Q+8g3XLg4gcEOoec7/QGAA oIbqQezQHaqV89o2glN6g40Scjse =+ri0 -----END PGP SIGNATURE-----
