6
I just went to install the latest version of bitcoind and discovered that Wladimir has signed the https://bitcoin.org/bin/bitcoin-core-0.12.1/SHA256SUMS.asc file with a new GPG key: https://bitcoin.org/laanwj-releases.asc. His previous key was https://bitcoin.org/laanwj.asc.
Some Googling turned up this notice on reddit but he doesn't say why he started using a new key. Does anybody know why he switched keys? Are there any good reasons to switch keys? Should I be worried?
3
I chatted to Wladimir about this. He hasn't switched to a new key, he's just using a separate key to sign binary releases.
Additionally, he has signed the new key with the old key, so there's an audit path.
1
Maybe he is worried his old key was compromised somehow? If that is the case I would be careful about trusting anything signed with the old GPG key after the soonest date it could have been compromised.
I don't see a reason to worry about future releases he signs with his new GPG key.
2in the reddit notice he says he is continuing to use his old key to sign git commits, so he must still trust it. – mulllhausen – 2016-05-21T11:25:21.813
any idea why he's using a different key to sign the binaries? – mulllhausen – 2016-05-22T23:06:05.170
2Separation of responsibilities - if one is compromised it does not compromise the other, and it can be revoked without affecting the other. – fluffyponyza – 2016-05-23T11:03:04.613