PSA: PGP Key Changed!

I have detected that the official Kali PGP key (provided for signing releases) has changed!

• Download Kali Linux Images Securely | Kali Linux Documentation

gpg --keyserver hkps://keyserver.ubuntu.com --recv-key 827C8569F2518CC677FECA1AED65462EC8D5E4C5

The above documentation clearly tells users to download a key with fingerprint = 827C 8569 F251 8CC6 77FE CA1A ED65 462E C8D5 E4C5.

But that differs from the previous key that kali has been using to sign releases = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6

I searched the kali website, and I could see no PGP Key Transition Statement – a standard message that indicates that the old key is being retired (listing the key fingerprint) and replaced by a new key (listing the key fingerprint), which is cryptographically signed by the old key (and the new key) to indicate a chain of trust for the transition.

======================
Edited by moderators:
As no such PGP Key Transition Statement exists, I think the community should assume that the Kali infrastructure has been compromised and the new key is malicious.

OP just didn’t find it, but a blog post is there since day 1

Apparently I can’t make edits to this post?

Anyway, here’s a link to a guide to writing Key Transition Statements

• Key Transition - riseup.net

If the Kali team really did rotate signing keys without publishing a Key Transition Statement, the above guide shows how to do this.

See also:

• 0009194: Key Transition Statement (ED65462EC8D5E4C5) - Kali Linux Bug Tracker

If you had entered that key into a search engine, you would have come across the blog post

It’s also been mentioned on the forum almost daily now.

(closing)