Trust Registry EN

Signing Keys

All cryptographic signing keys in the trust registry, grouped by lifecycle status.

Active (6)

Ed25519 Advisory Signing Key (2025) advisory-ed25519-2025
Ed25519 Active

Human-held key for signing security advisories and trust disclosures. Stored offline.

SHA256:mF4uJ7kR2wB5nY8cT1eH6vP9dA3oL0qG
Valid from
Jan 1, 2025
Valid until
No expiry
Tools
minisign
advisory-signing
AWS KMS Container Signing Key (2025) cloud-kms-2025-container
Cloud-KMS-ECDSA-P256 Active

Hardware-backed ECDSA key in AWS KMS for container image signing. Private key never leaves KMS.

SHA256:pE3wJ6lN9xB2rT5vG8dO1mK4fH7aL0qI
Valid from
Jun 15, 2024
Valid until
No expiry
Tools
cosign
KMS
aws-kms · ca-central-1
container-signing
Ed25519 Emergency Replacement Key (Oct 2025) ed25519-2025-emergency-replacement
Ed25519 Active

Emergency replacement for the compromised ed25519-2024-compromised key. Activated during the Oct 2025 security incident.

SHA256:nD2vH5kM8tY1cL4qW9eR3bO6fS7gJ0uA
Valid from
Oct 14, 2025
Valid until
Oct 31, 2026
Tools
cosign, sigstore
artifact-signing
Ed25519 Secondary Signing Key (2025) ed25519-2025-secondary
Ed25519 Active

Secondary signing key for nightly build automation and non-release artifacts.

SHA256:rC9xG2oP6wA3sU7yM4bI5nF8jK1hE0tV
Valid from
Mar 1, 2025
Valid until
Mar 31, 2026
Tools
cosign
artifact-signingattestation
Ed25519 Primary Signing Key (2026) ed25519-2026-primary
Ed25519 Active

Current primary Ed25519 key for all release artifact signing.

SHA256:mV3rN8pQ2sK7wX1bF5tG9hC4eD6jA0nL
Valid from
Jan 15, 2026
Valid until
Jan 31, 2027
Tools
cosign, sigstore
artifact-signingcontainer-signingattestation
Keyless OIDC — Gitea Actions keyless-gitea-actions
Keyless-OIDC Active

Keyless sigstore signing via Gitea Actions OIDC. No persistent key material. Identity is bound to workflow run context.

Ephemeral — no persistent key material
Valid from
Sep 1, 2024
Valid until
No expiry
Tools
cosign, sigstore
OIDC Issuer
https://git.home.jdoe.dev
artifact-signingattestation

Rotated / Retired (2)

Ed25519 Primary Signing Key (2024) ed25519-2024-primary
Ed25519 Rotated

Retired primary key. Valid for artifact verification through Feb 28 2025 (end of overlap window with 2025 key).

SHA256:kA5tE8iP3wD6rN1xH4bO7mL2fJ9gS0uC
Valid from
Jan 1, 2024
Valid until
Feb 28, 2025
Tools
cosign, sigstore
artifact-signing
Retired Feb 28, 2025 · Succeeded by ed25519-2025-primary
Ed25519 Primary Signing Key (2025) ed25519-2025-primary
Ed25519 Rotated

Retired primary key. Valid for artifact verification through Jan 31 2026 (end of overlap window with 2026 key).

SHA256:qB8wF1nM5vZ9hL3pT6cX2eA4kR7dJ0sU8iYmK9vXzP3=
Valid from
Jan 15, 2025
Valid until
Jan 31, 2026
Tools
cosign, sigstore
artifact-signingcontainer-signingattestation
Retired Jan 31, 2026 · Succeeded by ed25519-2026-primary

Expired (1)

Ed25519 Primary Signing Key (2023) ed25519-2023-primary
Ed25519 Expired

Expired first-generation Ed25519 key. Used Jan 2023 – Jan 2024.

SHA256:jZ4sD7hO2vC5mX8tG1aN6wF9bK3eI0rP
Valid from
Jan 1, 2023
Valid until
Jan 31, 2024
Tools
cosign
artifact-signing
Retired Jan 31, 2024 · Succeeded by ed25519-2024-primary

Revoked (2)

Ed25519 Backup Signing Key (2024) ed25519-2024-compromised
Ed25519 Revoked

Emergency revocation Oct 14 2025. Private key material was exposed in a build dependency audit log.

SHA256:zX7mQ2kN9wB4rT6vF1cH8dP3eA5oL0jU
Valid from
Apr 1, 2024
Valid until
Apr 30, 2025
Tools
cosign, sigstore
artifact-signing
Revoked Oct 14, 2025 02:17 UTC · See revocation record
RSA-4096 Legacy Signing Key (2022) rsa4096-2022-legacy
RSA-4096 Revoked

Administrative revocation. RSA-4096 retired in favour of Ed25519 per updated signing policy.

SHA256:lB6uF9jP4wE7rM2yI5cK8vN1hA3oG0tD
Valid from
Sep 1, 2022
Valid until
Sep 1, 2023
Tools
gpg
artifact-signing
Revoked Jun 1, 2023 00:00 UTC · See revocation record