Release media signatures

Our current releases are signed with either of these keys or any sub keys:


Key Fingerprint Description Created Expiry
13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 Gentoo Linux Release Engineering (Automated Weekly Release Key) 2009-08-25 2022-07-01
DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D Gentoo ebuild repository signing key (Automated Signing Key) 2011-11-25 2022-07-01
EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72 Gentoo repository mirrors (automated git signing key) 2018-05-28 2022-07-01
D99EAC7379A850BCE47DA5F29E6438C817072058 Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) 2004-07-20 2022-01-01
ABD00913019D6354BA1D9A132839FE0D796198B1 Gentoo Authority Key L1 2019-04-01 2022-07-01
18F703D702B1B9591373148C55D3238EC050396E Gentoo Authority Key L2 for Services 2019-04-01 2022-07-01
2C13823B8237310FA213034930D132FF0FF50EEB Gentoo Authority Key L2 for Developers 2019-04-01 2022-07-01

Verifying files

To verify downloaded files are not tampered with, you need the .DIGESTS file matching your release and the matching key from the table above.

Fetch the key:

gpg --keyserver hkps://keys.gentoo.org --recv-keys <key fingerprint>

Alternatively, you can fetch a bundle containing all listed keys:

wget -O - https://qa-reports.gentoo.org/output/service-keys.gpg | gpg --import

Verify the DIGESTS file:

gpg --verify <foo.DIGESTS.asc>

Verify the download matches the digests. At least one of the following will exist:

sha512sum -c <foo.DIGESTS.asc>

sha256sum -c <foo.DIGESTS.asc>

sha1sum -c <foo.DIGESTS.asc>


Detailed instructions are available in the Gentoo Handbook.