:: [devuan-dev] bug#705: bug#705: Ackn…
Top Page
Delete this message
Reply to this message
Author: Olaf Meeuwissen
Date:  
To: devuan developers internal list
CC: Klaus Ethgen, 705, Daniel Reurich
Subject: [devuan-dev] bug#705: bug#705: Acknowledgement (Update failed due to an invalide signature)
Hi,

Daniel Reurich writes:

> Yes the key expired, and I probably noticed first by virtue of living in
> the future compared to everyone else.
>
> We should be adding a new signing key each release for the next future
> release, and ensuring it will endure for at least 2 future release.
> This should be done immediately following a release.


ACK, but predicting how long it will take for the next two releases to
see the light of day is not exactly easy because Debian/Devuan release
when ready.

How about uploading a new devuan-keyring package to stable-updates and
unstable when the key's validity period has reached roughly 1/3 of its
initial value? So if you start with a key that's valid for the next 3
years, you would upload that new devuan-keyring package 2 years later.
This is completely independent of the release cycle and should work if
I'm not badly mistaken.

FTR, this idea is shamelessly stolen from the way cert-manager handles
TLS certificates in Kubernetes clusters by default, be it that uses 90
days for the certificate's validity period.

> This should be part of our "New Release - Devuan Devs guide to managing
> the new release process." - if such a document should exist. (If it
> doesn't maybe we should create it.)
>
> Regards,
>     Daniel

>
> On 5/09/22 19:53, Klaus Ethgen wrote:
>> Hi,
>>
>> The reason seems to be that the key is expired.
>>
>> The mitigation might be difficult. But you might have the way to do so.
>> Just sign the repository with the key
>> 72E3CB773315DFA2E464743D94532124541922FB instead of
>> E032601B7CA10BC3EA53FA81BB23C00C61FC752C.
>>
>> 72E3CB773315DFA2E464743D94532124541922FB is in
>> /etc/apt/trusted.gpg.d/devuan-keyring-2016-archive.gpg and never expire.
>>
>> After some months, just create a new key which never expire or expire
>> far in the future and use that for the repository.
>>
>> Regards
>>     Klaus

>>
>>
>> _______________________________________________
>> devuan-dev internal mailing list
>> devuan-dev@???
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev