In light of the build.ros.org security issue we have decided to retire the key previously used to sign ROS 2 apt repositories.
We believe the ROS 2 repositories to be intact. We have no reason to believe that any malicious access or use of the GPG key occurred. To be abundantly cautious we are updating the repository signing key to curb future abuse of the potentially exposed key but the packages in the repository are unchanged. When we perform the first sync for Dashing later today it will update the signing key for all ROS 2 repositories.
Adding the new repository key
You may get the key from the GPG keyserver network, which requires apt-key and GnuPG
sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
or from the ROS 2 build repository host
curl http://repo.ros2.org/repos.key | sudo apt-key add -
Removing the old key from your apt keyring
This key is still used for ROS 1 packages on packages.ros.org and the key has not been updated there yet. Removing the key will prevent updates from the ROS and ROS testing (shadow fixed) repositories until they are redeployed.
If you’re only using packages from ROS 2, you can safely remove this key now. No package updates will be pushed to repositories signed with this key. Unless you need to install ROS 1 packages not previously installed on your system, you could remove it now to be as safe as possible.
sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116
After the ROS 1 repository has been redeployed there will be no future legitimate use of this key and you should remove it from your systems. When that redeployment occurs we will make another announcement and update this thread.