Yeah, that's unfortunate - and they have been working to resolve this. But this is not an issue in CalyxOS itself.
This issue is an organizational challenge where they lacked control mechanisms to revoke access properly and in due time - which affected the build infrastructure CalyxOS is built on.
From the URL you point at:
> First, we want to assure you that we have no reason to believe the security of CalyxOS and its signing keys have been compromised.
> As you know, we announced a recent leadership transition. When senior personnel have access to signing keys and leave a team, it is security best practice to update signing keys and conduct audits. So in accordance with that, we are using this transition period to update our security protocols, including updating the signing keys and taking other steps to further protect our users.
🐈⬛David Sommerseth
npub16u…s2f6s
2025-08-27 15:44:28 UTC
in reply to nevent1q…kkg7
Author Public Key
npub16undjuczsmkhvdzy3rvxglyvmc9vkjh5p64me8efzv4knetkhvgqds2f6sSeen on
wss://relay.momostr.pinkPublished at
2025-08-27 15:44:28 UTCEvent JSON
{
"id": "272b314e03da5688e6f34386e7d8576474cfda92f2006709464ba396636d0a50",
"pubkey": "d726d9730286ed76344488d8647c8cde0acb4af40eabbc9f29132b69e576bb10",
"created_at": 1756309468,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@dazo/115101497304964839",
"web"
],
[
"p",
"fa9798d80aa3d344d3a501edcb467f17c12f2018613d53fc87d89a3c1893ad24"
],
[
"p",
"e880ecdfb2890867d6748949905c87a649facdf5bc1ac68149d672a73387017f"
],
[
"e",
"0940b80987f7e24a65ac8e4350afe3be2a383cac2c8eb324a566447a54f06ca9",
"",
"root",
"fa9798d80aa3d344d3a501edcb467f17c12f2018613d53fc87d89a3c1893ad24"
],
[
"p",
"d726d9730286ed76344488d8647c8cde0acb4af40eabbc9f29132b69e576bb10"
],
[
"p",
"0c4c0022c48b822167e4ab3d8b9538e4646e37168e2d2ed45bf2b909b89614bb"
],
[
"e",
"4279bf5c0736073f3f3400bd7354944e9a5af1cbe93341b65ec538b926464300",
"",
"reply",
"0c4c0022c48b822167e4ab3d8b9538e4646e37168e2d2ed45bf2b909b89614bb"
],
[
"proxy",
"https://infosec.exchange/users/dazo/statuses/115101497304964839",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/dazo/statuses/115101497304964839",
"pink.momostr"
],
[
"-"
]
],
"content": "Yeah, that's unfortunate - and they have been working to resolve this. But this is not an issue in CalyxOS itself.\n\nThis issue is an organizational challenge where they lacked control mechanisms to revoke access properly and in due time - which affected the build infrastructure CalyxOS is built on.\n\nFrom the URL you point at:\n\n\u003e First, we want to assure you that we have no reason to believe the security of CalyxOS and its signing keys have been compromised.\n\n\u003e As you know, we announced a recent leadership transition. When senior personnel have access to signing keys and leave a team, it is security best practice to update signing keys and conduct audits. So in accordance with that, we are using this transition period to update our security protocols, including updating the signing keys and taking other steps to further protect our users.",
"sig": "1fdedf8b3d48b664c45fda53676c15a14bf1ed8d6d7ac7f6fce98a1f0514821068987ffba0ce44b194e6da9b5cebb3dc9e8e794a6bb0cfa23b265638ee095848"
}