Digital Signatures & Cryptography

We make it easy for you to take security seriously.

Locks

We strongly believe in protecting the authenticity and integrity of our communications and our software. It is for this reason that we employ the use of PGP digital signatures. Using our PGP keys, you can verify the authenticity and integrity of all emails and files that we publish to you or to the world.

Software signing key

We use Phusion Software Signing <software-signing@phusion.nl> for signing our software packages, e.g. gems and tarballs:

  • Short key ID: 0x0A212A8C
  • Long key ID: 0x2AC745A50A212A8C
  • Fingerprint: D5F0 8514 2693 9232 F437 AB72 2AC7 45A5 0A21 2A8C

This key is also stored at sks-keyservers.net and keyserver.ubuntu.com.

The Phusion Software Signing key is only used for signing software. It's never used for signing emails or for encrypting files, so please be suspicious if you encounter usage of this key outside the context of signing software, and alert us at support@phusion.nl. Include "notspam" in the message to bypass our spam filter.

The email address software-signing@phusion.nl redirects to info@phusion.nl so it's safe to send email there. Be sure to include "notspam" in the message to bypass our spam filter.

Founders' keys

We use the sender's personal key for email communication and encryption of files. All keys are stored on sks-servers.net and keyserver.ubuntu.com.

Hongli Lai's key

Key file: Hongli Lai <hongli@phusion.nl>

  • Short key ID: 4B6F4332
  • Long key ID: 06A131094B6F4332
  • Fingerprint: 64E8 0420 FC6A 499F 9E1F 81FA 06A1 3109 4B6F 4332

Ninh Bui's key

Key file: Ninh Bui <ninh@phusion.nl>

  • Short key ID: 6FAF3782
  • Long key ID: BA8DA3F46FAF3782
  • Fingerprint: 353A 398C 49AF 5CD5 74A0 656C BA8D A3F4 6FAF 3782

Revocation

In the event our key is compromised, we will revoke the key and upload the revocation information to sks-servers.net and keyserver.ubuntu.com. However your system will not know about the revocation until you update the keys from the keyservers. You should update your keys regularly (e.g. once a week) by invoking: 

gpg --refresh-keys --keyserver pool.sks-servers.net
# -OR-
gpg --refresh-keys --keyserver keyserver.ubuntu.com