hbsd-update signing material rotation
18 views
Skip to first unread message
Shawn Webb
Dec 1, 2025, 7:38:14 PM (6 days ago) Dec 1
to HardenedBSD Users
Hey all,
Normally, the yearly rotation of the hbsd-update artifact signing key
is a transparent process with no user interaction. The signing key is
valid for 395 days from the time of generation.
That validity period was fine when we performed monthly builds. I
would simply update the cryptographic key material just before
December's build.
I last regenerated the key material Nov 28 2024, making it valid until
28 Dec 2025.
That presents somewhat of a problem since our next build will be on 01
Jan 2026. This means that, without the intervention I will detail in a
second, there will be a period of three days where the last published
hbsd-update build artifact is not installable, even though it's our
last official build.
To address this, I have now bumped the validity window to 400 days to
allow time to address potential infrastructure issues while still
having a valid update artifact. For example, if the build system fills
its filesystem on 01 Jan 2026, resulting in a failed build, that extra
time will allow me to investigate and address the issue. I have also
generated new cryptographic key material today and will be deploying
it soon.
So, at the end of this week, I will produce new builds. These new
builds will be signed with the new cryptographic key material.
TL;DR: expect a new build of HardenedBSD that is effectively the exact
same as this last build, just signed with a new key. This is a
(mostly) transparent mitigation requiring no user involvement. "Mostly
nothing to see here, but if you do notice something, it's fine. Move
along."
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Normally, the yearly rotation of the hbsd-update artifact signing key
is a transparent process with no user interaction. The signing key is
valid for 395 days from the time of generation.
That validity period was fine when we performed monthly builds. I
would simply update the cryptographic key material just before
December's build.
I last regenerated the key material Nov 28 2024, making it valid until
28 Dec 2025.
That presents somewhat of a problem since our next build will be on 01
Jan 2026. This means that, without the intervention I will detail in a
second, there will be a period of three days where the last published
hbsd-update build artifact is not installable, even though it's our
last official build.
To address this, I have now bumped the validity window to 400 days to
allow time to address potential infrastructure issues while still
having a valid update artifact. For example, if the build system fills
its filesystem on 01 Jan 2026, resulting in a failed build, that extra
time will allow me to investigate and address the issue. I have also
generated new cryptographic key material today and will be deploying
it soon.
So, at the end of this week, I will produce new builds. These new
builds will be signed with the new cryptographic key material.
TL;DR: expect a new build of HardenedBSD that is effectively the exact
same as this last build, just signed with a new key. This is a
(mostly) transparent mitigation requiring no user involvement. "Mostly
nothing to see here, but if you do notice something, it's fine. Move
along."
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages