Potential unintended disclosure of our repository signing private key
Early last week, we noticed a break in into one of our older package
building systems via a compromised user account. By gaining access to that
system, attackers potentially also gained access to our repository signing
private key (ID 055D000F1A9A092763B1F0DD14E8E08064497785). We can not say
for certain if the key has been accessed, copied or downloaded from that
system, but we have to consider it to be compromised as a matter of
caution.
The machine that hosts our repositories was not affected by this breach and
there is no indication that any of the repositories have been altered. Our
main build servers were also not affected and we have no reason to believe
that there has been any nefarious interference with our package building
process.
Nevertheless, we will replace that key with a new one and will sign all of
the packages we release from this point on with a different key that will
be published at a later point in time. We kindly ask you to remove the old
key from your system’s trust stores and to **not trust any signatures made
with that key after Feb 14, 2022**.
We sincerely apologize for the administrative effort caused by actions that
need to be taken and will implement strict measures to make sure that our
secret keys are kept safe and to prevent unauthorized access to our
systems.
We welcome you to reach out to our support team if you have any questions.
22nd February 2022.