ROS Resources: Documentation | Support | Discussion Forum | Service Status | Q&A

New GPG keys deployed for

As a follow up to Security issue on ROS build farm we have now deployed new GPG keys to This will require anyone using to update your trusted GPG keys to be able to update packages going forward.

tldr; At this point you should do the following 3 things:

  • Add the new ROS GPG key to your apt keyring if you have not already.
  • Revoke the old GPG key, it’s no longer used.
  • If using testing update the ros-shadow-fixed repository to refer to ros-testing repository.

How to transition

Below are instructions for how to update your GPG keys.

Adding the new ROS repository key

Who should do this?
Everyone who installs ROS packages from

When should this be done?

What to do?
Set up the new repository key

sudo apt-key adv --keyserver 'hkp://' --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654

Removing the old ROS repository key

Who should do this?

When must this be done?

What to do?
Remove the key from your apt keyring

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

Updating the testing repository url

Who should do this? Anyone who is currently using the ros-shadow-fixed repository to test ROS packages before a sync.

Check your /etc/apt/sources.list and /etc/apt/sources.list.d/*.list for and replace it with

Migrating to for unsupported distribitions

For older unsupported distributions we have moved the debian packages to a new host. Details for how to set that up are in this post: Security issue on ROS build farm

More detailed explanations can be found in this post:


Excellent, thank you @tfoote. We’ve thus started the process of untrusting the old key in the snapcraft CLI (the new one has been trusted since the original news broke, no one should be broken).


FYI: ROS Docker images from the Official Library registry have also been updated to reflect the above key rotation. Please be sure to sure to pull the latest images before rebuilding any dependent tags.

As @gerkey mentioned in the original thread, a big thanks to @tfoote, @nuclearsandwich, and @jrivero for the many hours and late nights they put into getting us back on track. Cheers! :beers:

P.S. for tracking when update images get finally synced to the docker hub registry:


Thank you to @kyrofa @ruffsl @garyservin and everyone who’s helping propagate these changes quickly. If you’re updating tools and services that build on top of our packages please reply here or track it at so that people can know which things have been updated.


For ubuntu 14.04 or earlier (e.g. indigo or jade), we should run

sudo apt-key del B01FA116

instead of

sudo apt-key del 421C365BD9FF1F717815A3895523BAEEB01FA116

since apt version is old.

B01FA116 is the last 8 characters of 421C365BD9FF1F717815A3895523BAEEB01FA116.

1 Like