[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

On Fri, Jan 06, 2006 at 01:22:50AM +0100, Petter Reinholdtsen wrote:
> [Michael Vogt]
> > Sorry for the delay. I'm preparing a new upload that adds the 2006
> > archive key to the default keyring. 
> 
> Sounds good.  Will this automatically take care of the key update and
> make sure no manual intervention is needed to get packages upgraded?

I uploaded a new apt that supports multiple signatures on the release
file. The policy is that it needs at least one good signature and no
bad signatures (but any number number of NO_PUBKEY signatures) to be
considered trusted. It will still warn about missing keys but that's
only fatal if no good signature was found. 

The upload also contains the new key in apts default keyring. This
dosn't fix the key-upgrade problem yet. I outlined my proposal in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345891 

Early testing (from incoming) is welcome :) 

> Isn't Ubuntu using the signed apt stuff?  How are they handling the
> new archive keys?

Ubuntu handles the archive keys with the mechanism described in
#345891. Threre is a "ubuntu-keyring" package that contains the valid
and no-longer valid server keys. apt-key update takes care of
adding/removing the appropriate keys.

Cheers,
 Michael

-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
Reply to: