[x-post] ROS signing key migration guide

We are again upon the brink of the ROS signing key expiration (June 1st) and from the Infrastructure PMC we are happy to announce a new package for ROS key and repository management.
The set of packages ros-apt-source and ros2-apt-source for Ubuntu and ros2-release for RHEL provide both the signing key and the repository configuration for ROS and ROS 2 :tada:.

This a big step towards a simpler key update path allowing the ROS project to rotate keys while keeping ROS users in sync as long as the they keep their system up to date! From a security stand-point, having the ability to rotate keys without breaking ROS users has been a longtime goal for the Infrastructure PMC and this is the first step towards it.

The are two flavors of the package for Ubuntu/Debian distributions:

  • ros-apt-source and ros2-apt-source: provides key and repository configuration for ROS and ROS 2 main repositories correspondingly.
  • ros-testing-apt-source and ros2-testing-apt-source : provides key and repository configuration for ROS and ROS 2 testing repositories correspondingly.

For RHEL there is a single package ros2-release that configures both main and testing repositories and enables the main repository as the default behavior.

The migration guide can be found here.

1 Like