In accordance with the deprecation of the use of SHA-1 signing for keys used to sign linux repos, Phusion is moving to a new signing key signed with a SHA-256 signature. This particularly affects users who install Passenger through the Debian, Ubuntu, and Enterprise Linux packages.

This will necessitate some preparation work on your systems. You will need to add the new signing key before the changeover to avoid disruptions.

The changeover will happen in the last week of January 2026 to be ahead of the deadline of February 1st 2026.

Installation

To download and install the key you can do the following:

Debian based

Ubuntu focal

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys D870AB033FB45BD1

Other

curl -fsSL https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key-2025.txt | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/phusion_new.gpg >/dev/null

Enterprise linuxes

Passenger Open Source

sudo curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo && dnf update

Passenger Enterprise

sudo curl --fail -sSL -u "download:$YOUR_DOWNLOAD_TOKEN" -o /etc/yum.repos.d/passenger.repo https://www.phusionpassenger.com/enterprise_yum/el-passenger-enterprise.repo && dnf update

Verification

You can test that the key is correctly installed by doing the following:

curl https://phusion-public.s3.us-east-1.amazonaws.com/message.txt > message.txt
curl https://phusion-public.s3.us-east-1.amazonaws.com/message.txt.sig > message.txt.sig

Debian based

Ubuntu Focal

gpg --no-default-keyring --keyring /etc/apt/trusted.gpg --verify message.txt.sig

Other

gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/phusion.gpg --verify message.txt.sig

Enterprise Linuxes

gpg --homedir /var/cache/dnf/passenger-*/pubring --verify message.txt.sig

The output from the command should verify that the signature is good, though it may indicate the key is not known to belong to anyone, that is fine.