For every Snyk CLI release, we publish signed binaries for Windows and macOS, and GPG signed SHA-256 checksums for all artifacts.
These important measures ensure the authenticity and integrity of the Snyk CLI prior to use.
Following a recent incident impacting our CI/CD vendor, we have rotated our GPG keys and are re-issuing our Windows and macOS signing certificates for Snyk CLI. Going forward, every Snyk CLI release will be signed with these new certificates, which replace the previous ones used.
No malicious activity or leak is believed to have occurred, we are taking these steps out of an abundance of caution and concern for our customers’ safety.
What do I need to do?
Our new GPG keys should be used for verifying checksums from CLI release 1.1082.0 onwards.
If you have previously imported our public GPG key, please delete and re-import, via:
gpg --delete-keys 68BFBCCEB7794E6FC06A2044A29C32E91F4B9569 gpg --keyserver hkps://keys.openpgp.org --recv-keys A22665FB96CAB0E0973604C83676C4B8289C296E
Otherwise, no action is necessary.
For more information, see getting started with the CLI.