Package Signing Key Rotation

By Company / Developer
Nov 17, 2025

Navigate to:

In 2023, InfluxData rotated its package signing key and followed security best practices by specifying an expiration date. Because the current signing key expires on January 17, 2026, we are in the process of rotating it.

At the last rotation, we updated our approach to use a primary key with signing subkeys, providing a better user experience during the key rotation process. This allows InfluxData to update its public key to include a new signing subkey, delivered to users, without changing the fingerprint of the primary key. As a side benefit for RPM users, this also means we don’t have to resign old RPM packages with the new key (which changes their cryptographic checksums).

Currently, the public influxdata-archive.key is:

$ gpg --show-keys --with-subkey-fingerprints ./influxdata-archive.key 
pub   rsa4096 2023-01-18 [SC]
      24C975CBA61A024EE1B631787C3D57159FC2F927
uid                      InfluxData Package Signing Key "[email protected]"
sub   rsa4096 2023-01-18 [S] [expires: 2026-01-17]
      9D539D90D3328DC7D6C8D3B9D8FF8E1F7DF8B07E

The new key is:

$ gpg --show-keys --with-subkey-fingerprints ./influxdata-archive.key 
pub   rsa4096 2023-01-18 [SC]
      24C975CBA61A024EE1B631787C3D57159FC2F927
uid                      InfluxData Package Signing Key "[email protected]"
sub   rsa4096 2023-01-18 [S] [expires: 2026-01-17]
      9D539D90D3328DC7D6C8D3B9D8FF8E1F7DF8B07E
sub   rsa4096 2025-07-10 [S] [expires: 2029-01-17]
      AC10D7449F343ADCEFDDC2B6DA61C26A0585BD3B

Compatibility

When we rotated our signing key in 2023, there were still a few older, active Linux distributions that didn’t support signing subkeys, so we provided the public signing subkey (7DF8B07E) via the influxdata-archive_compat.key file:

$ gpg --show-keys --with-subkey-fingerprints ./influxdata-archive_compat.key 
pub   rsa4096 2023-01-18 [SC] [expires: 2026-01-17]
      9D539D90D3328DC7D6C8D3B9D8FF8E1F7DF8B07E
uid                      InfluxData Package Signing Key "[email protected]"

While these distributions have since gone EOL (end-of-life), we will provide the new public signing subkey (0585BD3B) via a new influxdata-archive_compat-exp2029.key file for those users who need it.

Rollout

Because key rotations can be disruptive, we are rolling out the updates in stages:

  1. Ensure and/or update official documentation to detail how to verify the GPG key for a smooth rotation (completed in August 2025).
  2. Generate a new signing subkey (completed in August 2025).
  3. Create a new influxdata-archive-keyring Linux package that contains our public key (and compatibility keys) and configures the system accordingly (completed in October 2025).
  4. Update InfluxData’s Linux packaging for all debs and rpms to pull in the new influxdata-archive-keyring package as a Recommends (completed in November 2025).
  5. Get the word out to the community on the upcoming key rotation via this blog post and community forums.
  6. Continue to sign new builds with the current signing subkey (7DF8B07E) until early January 2026.
  7. In early January 2026, upload the new key to https://repos.influxdata.com/influxdata-archive.key and to keyservers, upload the new compatibility key to https://repos.influxdata.com/influxdata-archive_compat-exp2029.key, and start signing new builds with the new signing subkey (0585BD3B).

Verifying your signing key usage

People who follow our installation instructions in our official documentation and downloads page will be ready when the key rotates and shouldn’t need to make any changes.

For existing installations and the best key rotation experience, you should verify that your system, container builds, and CI are using the https://repos.influxdata.com/influxdata-archive.key, and verify the GPG fingerprint of its primary key is 24C9 75CB A61A 024E E1B6 3178 7C3D 5715 9FC2 F927. By verifying the primary key’s fingerprint, it will continue to verify after InfluxData updates it to include the new signing subkey.

If your system, Dockerfile, or build environment is currently configured to use the influxdata-archive_compat.key, it should be updated to use the influxdata-archive.key instead. If your system requires the compatibility key, you will need to update your system to use the new influxdata-archive_compat-exp2029.key after InfluxData starts signing with it.

DEB-based systems

For users who install InfluxData software via DEBs, the influxdata-archive-keyring DEB ships GPG keyring files in the /usr/share/keyrings directory and configures /etc/apt/sources.list.d/influxdata.list accordingly. Eg:

$ cat /etc/apt/sources.list.d/influxdata.list
deb [signed-by=/usr/share/keyrings/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main

The upcoming DEB packaging changes will install influxdata-archive-keyring during the upgrade and configure the system so that future updates will handle key rotation for you. If your system has the influxdata.list file prior to installing influxdata-archive-keyring and the file differs from what the influxdata-archive-keyring package would configure for you, you will be prompted on how to proceed during the upgrade.

If you install via DEBs but use a different file than /etc/apt/sources.list.d/influxdata.list to configure APT, it is recommended that you move your configuration to this file. If you choose to not install the influxdata-archive-keyring, you’ll need to verify and update the signing key on your system in the normal way.

RPM-based systems

For users who install InfluxData software via RPMs, the upcoming RPM packaging changes will ship GPG key files in the /usr/share/influxdata-archive-keyring/keyrings directory and configure /etc/yum.repos.d/influxdata.repo accordingly. E.g.:

[influxdata]
name = InfluxData Repository - Stable
baseurl = https://repos.influxdata.com/stable/$basearch/main
enabled = 1
gpgcheck = 1
gpgkey = file:///usr/share/influxdata-archive-keyring/keyrings/influxdata-archive.asc

The upcoming RPM packaging changes will install influxdata-archive-keyring as part of the upgrade process and configure the system so that future updates will handle the key rotation for you. If your system has the influxdata.repo file prior to installing influxdata-archive-keyring and the file differs from what the influxdata-archive-keyring package would configure for you, the file will not be modified and a message will be logged on how to proceed. To ensure that influxdata-archive-keyring is managing the influxdata.repo file, you can run the following:

$ sudo mv /etc/yum.repos.d/influxdata.repo /etc/yum.repos.d/influxdata.repo.orig
$ sudo /usr/lib/influxdata-archive-keyring/influxdata-keyring upgrade

If you install via RPMs but are using a different file than /etc/yum.repos.d/influxdata.repo to configure YUM/DNF, it is recommended that you move your configuration to this file. If you choose to not install the influxdata-archive-keyring, you’ll need to verify and update the signing key on your system in the normal way.

Docker, CI, etc

Your Dockerfile or CI code might be doing something along these lines to configure APT to later fetch an InfluxData DEB for use in your container:

...
ADD https://repos.influxdata.com/influxdata-archive.key ./influxdata-archive.key
RUN cat ./influxdata-archive.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
...

While this will handle the key rotation fine since it is correctly downloading the influxdata-archive.key during the container build, best practice for supply chain security is to verify that the downloaded key file is what you expect. A simple way to verify is by checking the SHA256 of the key file against a known value, but the caveat is that if a key rotation adds the new signing subkey to influxdata-archive.key, the SHA256 of the file will change, and your build will break. It’s better to verify that the primary’s public key fingerprint is 24C9 75CB A61A 024E E1B6 3178 7C3D 5715 9FC2 F927. One way to do this is:

...
ADD https://repos.influxdata.com/influxdata-archive.key ./influxdata-archive.key
RUN gpg --no-default-keyring --show-keys --with-fingerprint --with-colons ./influxdata-archive.key | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat ./influxdata-archive.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null
...

This fetches the influxdata-archive.key, then verifies the fingerprint before writing out the APT configuration, ensuring that you are downloading cryptographically-verified binaries from InfluxData during your build. While your Dockerfile or CI code is likely a bit different, it’s recommended that you always verify the key file in some manner.

If your Dockerfile or CI code is still using the influxdata-archive_compat.key, it is recommended you update it to use influxdata-archive.key instead.