Release media signatures

Our current releases are signed with either of these keys or any sub keys:

Key fingerprint	Gentoo package	Description	Created	Expiry
`13EBBDBEDE7A12775DFDB1BABB572E0E2D182910`	sec-keys/openpgp-keys-gentoo-release	Gentoo Linux Release Engineering (Automated Weekly Release Key)	2009-08-25	2026-07-01
`DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D`	sec-keys/openpgp-keys-gentoo-release	Gentoo ebuild repository signing key (Automated Signing Key)	2011-11-25	2026-07-01
`EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72`	sec-keys/openpgp-keys-gentoo-release	Gentoo repository mirrors (GitHub) (automated git signing key)	2018-05-28	2026-07-01
`D99EAC7379A850BCE47DA5F29E6438C817072058`	sec-keys/openpgp-keys-gentoo-release	Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key)	2004-07-20	2025-07-01
`ABD00913019D6354BA1D9A132839FE0D796198B1`	sec-keys/openpgp-keys-gentoo-auth	Gentoo Authority Key L1	2019-04-01	2026-07-01
`18F703D702B1B9591373148C55D3238EC050396E`	sec-keys/openpgp-keys-gentoo-auth	Gentoo Authority Key L2 for Services	2019-04-01	2026-07-01
`2C13823B8237310FA213034930D132FF0FF50EEB`	sec-keys/openpgp-keys-gentoo-auth	Gentoo Authority Key L2 for Developers	2019-04-01	2026-07-01
`ABA5E4E7F4E407ABE9CA7EC7422C9066E21F705A`		Gentoo Authority Key L2 for Infrastructure	2024-04-19	2026-07-01

Verifying files

To verify downloaded files are not tampered with, the .asc signature file matching the release and the matching key from the table above are needed.

Fetch the key:

gpg --keyserver hkps://keys.gentoo.org --recv-keys <key fingerprint>

Alternatively, fetch a bundle containing all listed keys:

wget -O - https://qa-reports.gentoo.org/output/service-keys.gpg | gpg --import

Alternatively, use the Gentoo sec-keys/openpgp-keys-gentoo-release package:

gpg --import /usr/share/openpgp-keys/gentoo-release.asc

Verify the signature:

gpg --verify <foo.asc>

Detailed instructions are available in the Gentoo Handbook.