On 5/5/19 10:46 PM, Paul Wise wrote: > To that end, I'd like to hear about derivatives' handling of apt > repository OpenPGP keys. Based on the discussion I'll update the census > template to get more info and try to work on improving the situation. Hi Paul, Here is how we handle OpenPGP keys at Wazo: our current signing key is available in two forms: - a public file at https://mirror.wazo.community/wazo_current.key - a package wazo-keyring > I'm particularly interested in a few things: > > How would new users bootstrap trust of your keys? The public file serves for bootstrapping the trust of the keys, through wget | apt-key. > How do you handle updates to your keys? The package wazo-keyring serves for updating and replacing the keys. The keys are sufficiently long-lived to consider that the wazo-keyring package will be updated via APT before all the keys expire. If not, then a manual intervention is required. > How do you handle replacement of your keys? In case of a key being compromised, then I guess a manual intervention would be required to revoke the compromised key and to replace it. I would love to read a better answer though. Otherwise, the new key simply gets added to the wazo-keyring package. > How would Debian users securely obtain your keys for use in chdist or > apt-venv? These allow running apt commands on alternative repositories > without adding those repos to your system configuration. I did not know about those tools, thanks for mentioning them, they may get useful in the future! :) In our case, bootstrapping the keys from the public file is possible via wget | apt-venv -c "apt-key", if apt-key is available in apt-venv. Feedback is welcome, of course :) -- Sébastien Duthil
Attachment:
signature.asc
Description: OpenPGP digital signature