A copy of this statement clear-signed with both the old and new keys is available at https://zodl.com/security/key-transition.txt.asc .
GPG Key Transition Statement
We are transitioning the GPG signing key used to sign zcashd and Zallet APT packages,
as well as standalone Android binaries (GitHub Releases for zodl-inc/zodl-android).
This transition reflects the reorganization of the project under Zcash Open Development
Lab (ZODL).
Old key (Electric Coin Company):
Fingerprint : B1C9 095E AA18 48DB B54D 9DDA 1D05 FDC6 6B37 2CFE
UID : Zcash Master Signing Key (Electric Coin Company) <sysadmin@z.cash>
Key type : RSA 3072-bit
Created : 2023-06-19
Status : To be revoked as a precaution after a transition period
Public key : https://apt.z.cash/zcash.asc
New key (Zcash Open Development Lab):
Fingerprint : 0338 34DD 49DE CF9D BB99 34BC 6C93 CA8E 58E2 6AB1
UID : Zcash Open Development Lab (ZODL) (Dallas, Texas) <sysadmin@zodl.com>
Key type : RSA 4096-bit
Expires : 2028-03-22
Public key : https://apt.z.cash/zodl.asc
Timeline:
2026-03-23 New key generated.
2026-03-27 This announcement is published.
2026-04-23 All new zcashd and Zallet packages and binaries will be signed exclusively
with the new key. Packages signed with the old key will no longer be
published.
2026-06-23 Planned revocation of old ECC key.
Action required for Zcashd APT users:
If you run zcashd via the apt.z.cash repository, you MUST add the new signing key before
2026-04-23 or apt-get upgrade will fail with a signature verification error and zcashd
will stop receiving updates.
Step 1 — Import the new key:
curl -fsSL https://apt.z.cash/zodl.asc | \
sudo gpg --dearmor -o /usr/share/keyrings/zcash-zodl-archive-keyring.gpg
Step 2 — Update your sources file.
Edit /etc/apt/sources.list.d/zcash.list and change the signed-by path:
deb [signed-by=/usr/share/keyrings/zcash-zodl-archive-keyring.gpg] \
https://apt.z.cash/ <distro> main
(Replace <distro> with your distribution, e.g. bookworm.)
Step 3 — Verify the update works:
sudo apt-get update && sudo apt-get install --dry-run zcashd
After 2026-04-23 the old key (sysadmin@z.cash) will no longer sign new releases.
Packages already installed are not affected; only future upgrades require the new key.
Action required for Zallet APT users:
Same procedure as above. Update your /etc/apt/sources.list.d/zallet.list:
deb [signed-by=/usr/share/keyrings/zcash-zodl-archive-keyring.gpg] \
https://apt.z.cash/ <distro> main
Action required for zodl-android (APK) users:
Android APKs published to GitHub Releases at
https://github.com/zodl-inc/zodl-android will be signed with the new key
starting 2026-04-23. To verify a release binary:
curl -fsSL https://apt.z.cash/zodl.asc | gpg --import
gpg --verify zodl-android-<version>.apk.asc zodl-android-<version>.apk
Verification:
This document is signed with both the old key (sysadmin@z.cash) and the new key
(sysadmin@zodl.com) to establish continuity of identity. To verify:
curl -fsSL https://zodl.com/security/key-transition.txt.asc >key-transition.txt.asc
gpg --verify key-transition.txt.asc
and then verify that key-transition.txt.asc matches the published announcement.
(Apologies for the long lines; I didn’t want to change the formatting from what was signed. You can click “⤢” on the top-right of the text block to see it without needing to scroll left and right.)