Operational Signing Keys¶
Official Shyft release artifacts are signed using dedicated operational signing keys that are authorized by the Shyft organization.
The organization’s trust anchor is the Shyft root certification key, which is maintained exclusively on the offline provisioning workstation described in Identity and Key Management.
Operational signing subkeys are generated, certified by the Shyft root certification key, transferred to dedicated hardware-backed devices, and used only for release signing.
Developer identity keys are independent of the release signing infrastructure and are used only for authenticated source history.
The operational signing keys are rotated periodically. The following sections document the current and previous operational signing keys together with the associated trust transitions.
Published Public Key Bundle¶
The published shyft-release.pub file contains:
the Shyft root certification key;
all currently authorized operational signing subkeys;
revoked operational signing subkeys where applicable.
The fingerprint of the Shyft root certification key remains stable throughout its lifetime.
Operational signing key rotation updates the published public key bundle without changing the organization’s trust anchor.
Current Operational Signing Key¶
File: tools/release/shyft-release.pub
Effective from: 2026-07-05
Fingerprint:
01D8 2A01 7FDD 5484 F020 7C19 C600 40E1 CA6C 6EE3
User ID:
Sigbjørn Helset <sigbjorn.helset@gmail.com>
Previous Operational Signing Keys¶
April 2026 Release Signing Key¶
File: tools/release/shyft-release-2026-04-02_2026-07-05.pub
Fingerprint:
CFFE BAE1 B25B AD34 C72A 2565 4A12 4000 37DA B695
User ID:
Sigbjørn Helset <sigbjorn.helset@gmail.com>
Validity:
- Used from:
2026-04-02
- Used until:
2026-07-05
- Status:
Deprecated (no longer used for new releases)
- Superseded by:
The current Shyft release signing key, effective from 2026-07-05.
Transition¶
The April 2026 release signing key was introduced as part of an update to the Shyft release-signing procedures.
During a subsequent review of the backup and recovery process, it was determined that the encrypted backup volume on the NitroKey 2 pro storage device, containing the only recoverable copy of the April 2026 root certification key was no longer recoverable. The encrypted storage media remains in project possession and there is no indication that the private key material was disclosed or compromised.
The hardware-backed signing and authentication subkeys stored on the associated Nitrokey 3A NFC device remained operational and continued to be used for release signing until the new root certification key was established.
A new Shyft root certification key was created following the documented key ceremony on 2026-07-05, including verified independent backups and updated recovery procedures. The new key was certified by the original Shyft release signing key.
For historical continuity, the tools/releases/transitions directory include a signed transition statement documenting this key transition together with detached signatures produced by the participating release-signing keys.
Original Shyft Release Signing Key¶
Fingerprint:
CBBC EF9B 3866 DFB1 883F 92EF CA6E CA12 FA40 8123
User ID:
Sigbjørn Helset <sigbjorn.helset@gmail.com>
Validity:
- Used until:
2026-04-02
- Status:
Deprecated (no longer used for new releases)
Transition¶
This key established the original Shyft release-signing trust chain and remains the historical trust anchor for releases produced prior to 2026-04-02.
The original hardware-backed signing key remains operational and was used to certify the current Shyft release signing key introduced on 2026-07-05, providing cryptographic continuity from the original Shyft release-signing identity.
Public Key Distribution¶
The public key is distributed with each Shyft release and is also available in the repository.
Users should verify the key fingerprint before trusting the key.
Key Usage¶
Shyft separates developer identity from organizational release authority.
Developer identity keys establish authenticated source history by signing Git commits and tags.
Operational signing keys authorize official Shyft release artifacts.
The two trust domains are connected only through the controlled release procedure.
Developer Identity
│
▼
Authenticated Source History
│
▼
Controlled Release Process
▲
│
Operational Signing Key
▲
│
Root Certification Authority
Key Rotation¶
If the release signing key changes in the future, the new key will be documented in the repository and announced in the release notes.
Security Model¶
Shyft distinguishes between source provenance and release authorization.
Source provenance is established through developer identity keys and signed Git history.
Release authorization is established through organizational operational signing keys certified by the Shyft root certification authority.
This separation allows developer identity, operational signing keys, and release operators to evolve independently while preserving a stable organizational trust anchor.
Organizations may further strengthen the model through:
dedicated release operators;
dual-control signing ceremonies;
hardware-backed operational signing keys;
independent build and verification pipelines.
See: