[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: repository OpenPGP key distribution?

On 5/5/19 10:46 PM, Paul Wise wrote:
> To that end, I'd like to hear about derivatives' handling of apt
> repository OpenPGP keys. Based on the discussion I'll update the census
> template to get more info and try to work on improving the situation.

Hi Paul,

Here is how we handle OpenPGP keys at Wazo:

our current signing key is available in two forms:

- a public file at https://mirror.wazo.community/wazo_current.key
- a package wazo-keyring

> I'm particularly interested in a few things:
> How would new users bootstrap trust of your keys?

The public file serves for bootstrapping the trust of the keys, through
wget | apt-key.

> How do you handle updates to your keys?

The package wazo-keyring serves for updating and replacing the keys. The
keys are sufficiently long-lived to consider that the wazo-keyring
package will be updated via APT before all the keys expire. If not, then
a manual intervention is required.

> How do you handle replacement of your keys?

In case of a key being compromised, then I guess a manual intervention
would be required to revoke the compromised key and to replace it. I
would love to read a better answer though.

Otherwise, the new key simply gets added to the wazo-keyring package.

> How would Debian users securely obtain your keys for use in chdist or
> apt-venv? These allow running apt commands on alternative repositories
> without adding those repos to your system configuration.

I did not know about those tools, thanks for mentioning them, they may
get useful in the future! :)

In our case, bootstrapping the keys from the public file is possible via
wget | apt-venv -c "apt-key", if apt-key is available in apt-venv.

Feedback is welcome, of course :)

Sébastien Duthil

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: