search

grml / grml-debian-keyring

2 stars 3 forks source link

Rotate / create new repository signing key #4

Open mika opened 3 months ago

mika commented 3 months ago

As noted by cb on IRC (thx!):

% curl -s https://deb.grml.org/repo-key.gpg |gpg --armor --export |wc -l
769520

Our key is very long as plain text, something newer might be shorter. Also would be nice to use our repository signing key as-is in /etc/apt/keyrings/ via grml.sources.

Last but not least, our latest signing key change dates back to 2015, and we might consider creating a more modern/fresh one also for security reasons.

FTR:

 % gpg keyrings/grml-archive-keyring.gpg 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   dsa1024/F61E2E7CECDEA787 2006-11-19 [SC]
      709BCE51568573EBC160E590F61E2E7CECDEA787
uid                           GRML Archive Automatic Signing Key (http://www.grml.org/) <ftpmaster@grml.org>
sub   elg2048/896CF7B9B1F9C73E 2006-11-19 [E]
pub   rsa4096/21E0CA38EA2EA4AB 2015-08-16 [SC]
      05483D2F0A254E5BC12AC73021E0CA38EA2EA4AB
uid                           Grml Archive Automatic Signing Key (http://www.grml.org/) <ftpmaster@grml.org>
sub   rsa4096/DC71A66D2B91DE1F 2015-08-16 [E]

I'd be more than happy for any suggestions regarding best practices in terms of GPG implementation usage, key generation settings and command line options. @anarcat maybe might have valuable input for us here? :)

crpb commented 3 months ago

For clarification where it would be beneficial /etc/apt/sources.list.d/grml.sources

Types: deb deb-src
URIs: http://deb.grml.org
Suites: grml-stable grml-testing
Components: main
Enabled: yes
Signed-By: /etc/apt/keyrings/deb.grml.org.gpg

Here you could replace the Signed-By: filepath with the output of the following commannd (which is currenly a bit of a mess).

wget -qO- https://deb.grml.org/repo-key.asc | gpg --armor --export | sed 's/^$/./;s/^/ /g;1 i Signed-By:' |tee -a /etc/apt/sources.list.d/grml.sources

That way you don't even have to put a file in e.g. /etc/apt/keyrings/.

zeha commented 3 weeks ago

Do we expect people to have the archive keyring package installed? If not, how will people get the new key?

crpb commented 3 weeks ago

There needs to be an grml-common which all other packages depend on and so it will be pulled it automatically and then you could add a script like myon's script in postgresql-common. But that needs to be on the debian side.. enough time for trixie? :P

/me duckt sich schonmal