Changes to ISC Software Signing

At the end of 2022, we are introducing some changes to the tools and procedures we use for signing the source code releases of our software, to make the whole process simpler and more robust.

What Is Going to Change and Why?

In the past, during any given one- or two-year period, ISC used a single code-signing PGP key that was rolled over after reaching its intended expiry date. Since 2019, each PGP key also had signing-only subkeys associated with it, to help limit the exposure of the primary key itself. Unfortunately, this approach turned out to present practical organizational challenges related to handling the primary key in a geographically-dispersed environment. We have also been publishing multiple signature files along with each source tarball, each of which was prepared using a different hashing algorithm (SHA-1, SHA-256, or SHA-512).

We have decided to simplify our approach to signing our source code releases. We are migrating to a new set of independent signing keys, each of which:

  • will be stored on a hardware token,
  • will not have a preset expiry date,
  • is expected to remain in use until revocation.

A PGP public key block containing the new set of signing keys is available on the ISC website, along with a list of key fingerprints. Both of these will get updated over time as the set of PGP keys expected to sign source code releases of ISC software evolves.

When Are the Changes Going to Happen?

The timeline for the migration to the new set of signing keys is as follows:

  • December 2022 through January 2023: each source code release of ISC software will still be accompanied by four signature files; among those, however, there will be both files prepared using the 2021-2022 code-signing key and files prepared using the new code-signing keys:

    • the *.asc file will contain signatures prepared using one of the new signing keys,

    • the *.sha1.asc, *.sha256.asc, and *.sha512.asc files will contain signatures prepared using the 2021-2022 code-signing key.

  • February 2023 onward: with the 2021-2022 code-signing key expiring on February 1st, 2023, each source code release of ISC software made after that date will only be accompanied by a single SHA-512 signature file, *.asc, which will be prepared using one of the new signing keys.

What Do I Need to Do?

If you are getting ISC software from precompiled packages (either those provided directly by ISC, or those provided by your operating system vendor or published in third-party package repositories), you do not need to do anything; the changes described above only apply to source code releases. The keys used for signing ISC-provided packages will not be affected.

If you are a packager of ISC software or you are building and installing ISC software directly from source, you may need to adjust your build recipes and/or procedures to account for the above changes. Depending on your current setup, you might encounter signature verification errors while processing ISC software released starting in December 2022, until the new signing keys are added to your local set of PGP keys expected to sign source code releases of ISC software.

Please feel free to reach out to us by email to info@isc.org, or via your regular support channel if you have any questions about the planned changes.

Recent Posts

What's New from ISC

Happy holidays from ISC!

ISC is fortunate to have staff members in so many different countries around the world: our software development benefits from all the different perspectives - and we benefit personally!

Read post
Previous post: Happy Holidays from ISC!