Phusion takes security very seriously. This is why we strongly believe in protecting the authenticity and integrity of our communications and our software, and why we employ the use of PGP digital signatures. Using our PGP keys, you can verify the authenticity and integrity of all emails and files that we publish to you or to the world. All software releases that we make are signed with one of our PGP keys.
The founders’ keys have changed
As Phusion’s founders, we – Hongli Lai and Ninh Bui – have our own personal PGP keys as well, which we use to encrypt or sign some of our emails and git commits. We’ve recently run a security audit and noticed that our PGP keys are no longer deemed as secure as they should be. The keys that we’ve been using until today were made back in 2009, but the recommended algorithms and key sizes in 2014 are quite different from what they were 5 years ago. For this reason, we’ve decided to revoke our old keys and to create new ones, with stronger security settings.
Nothing has been compromised. We are simply renewing our keys as a precaution.
Effective immediately, our new PGP keys are as follows:
- Hongli Lai (email@example.com)
Short key ID: 8C59158F
Long key ID: CD70085E8C59158F
Fingerprint: 218A 7255 83D0 2ECE F3A9 C2A7 CD70 085E 8C59 158F
- Ninh Bui (firstname.lastname@example.org)
Short key ID: 69481265
Long key ID: AE405F7869481265
Fingerprint: A77C 9CEF 766D 0E7D A95B 8778 AE40 5F78 6948 1265
If you had our old keys in your keyring, please update them so that you see the revocations:
gpg --refresh-keys --keyserver pool.sks-servers.net # -OR- gpg --refresh-keys --keyserver keyserver.ubuntu.com
No effect on the signatures of our file releases
Please note that Phusion’s software releases and Ruby gems are not signed with our personal keys. Instead, they’re signed with the Phusion Software Signing key, which is still considered strong enough.
Our git commits, though, are often signed with our personal keys.
If you’re using Phusion Passenger, we strongly recommend you to cryptographically verify every release. The Phusion Passenger documentation contains comprehensive instructions that explains how you can verify our tarballs, Ruby gems, Git commits and more.
Onward and upwards!
With kind regards,