Hello:

On 2 Jun 2025 at 17:03, Mark Hindley wrote:

> ... end up in a chicken and egg cycle with the new key being used
> but apt refusing to update the devuan-keyring package because it
> can't verify the key.
>
> ... good idea how to resolve that?

Just thinking out loud, not to be taken *too* seriously.

I live in a building with 10 stories and 66 flats.
When someone loses their keys to the front door, the lock is changed
asap and 66 new keys are made and distributed.

When someone without a new key wants to get into the building, they
are met with a sign saying that they should contact the building's
admin and ask for their key.

In a loosely analogous manner, a *sleeper* devuan-keyring metapackage
could be used.

I would be pushed out to everyone updating and once installed it
would lie waiting to detect when / if the user wanting to update /
upgrade or install anything is unable to do so because of the old
key.

At that point, it would inform them of the situation and instruct
them to extract [c]sleeper.sh[/c] from the metapackage.

[c]sleeper.sh[/c] would unpackage, install the new key and ask the
user to try their update / upgrade again.

If the update / upgrade or installation went ahead as expected, the
*sleeper* devuan-keyring metapackage would then rm itself.

Just an idea.
I am aware that this may potentially have some security issues.

Best,

A.