Wladimir's new GPG key

Question

I just went to install the latest version of bitcoind and discovered that Wladimir has signed the https://bitcoin.org/bin/bitcoin-core-0.12.1/SHA256SUMS.asc file with a new GPG key: https://bitcoin.org/laanwj-releases.asc. His previous key was https://bitcoin.org/laanwj.asc.

Some Googling turned up this notice on reddit but he doesn't say why he started using a new key. Does anybody know why he switched keys? Are there any good reasons to switch keys? Should I be worried?

score 3 · Accepted Answer · answered May 22 '16 at 14:10

3

I chatted to Wladimir about this. He hasn't switched to a new key, he's just using a separate key to sign binary releases.

Additionally, he has signed the new key with the old key, so there's an audit path.

answered May 22 '16 at 14:10

fluffyponyza

453
3
12

any idea why he's using a different key to sign the binaries? – mulllhausen May 22 '16 at 23:06
2

Separation of responsibilities - if one is compromised it does not compromise the other, and it can be revoked without affecting the other. – fluffyponyza May 23 '16 at 11:03

score 1 · Answer 2 · answered May 21 '16 at 11:09

1

Maybe he is worried his old key was compromised somehow? If that is the case I would be careful about trusting anything signed with the old GPG key after the soonest date it could have been compromised.

I don't see a reason to worry about future releases he signs with his new GPG key.

answered May 21 '16 at 11:09

Javier

286
1
6

2

in the reddit notice he says he is continuing to use his old key to sign git commits, so he must still trust it. – mulllhausen May 21 '16 at 11:25

Wladimir's new GPG key

2 Answers2