Potential unintended disclosure of our repository signing private key

Early last week, we noticed a break in into one of our older package

building systems via a compromised user account. By gaining access to that

system, attackers potentially also gained access to our repository signing

private key (ID 055D000F1A9A092763B1F0DD14E8E08064497785). We can not say

for certain if the key has been accessed, copied or downloaded from that

system, but we have to consider it to be compromised as a matter of

caution.

The machine that hosts our repositories was not affected by this breach and

there is no indication that any of the repositories have been altered. Our

main build servers were also not affected and we have no reason to believe

that there has been any nefarious interference with our package building

process.

Nevertheless, we will replace that key with a new one and will sign all of

the packages we release from this point on with a different key that will

be published at a later point in time. We kindly ask you to remove the old

key from your system’s trust stores and to **not trust any signatures made

with that key after Feb 14, 2022**.

We sincerely apologize for the administrative effort caused by actions that

need to be taken and will implement strict measures to make sure that our

secret keys are kept safe and to prevent unauthorized access to our

systems.

We welcome you to reach out to our support team if you have any questions.

22nd February 2022.