On Fri, Jun 11, 2010 at 08:50:39PM +0100, Tony Houghton wrote: >On Fri, Jun 11, 2010 at 10:39:02PM +0300, George Danchev wrote: >>On Fri, Jun 11, 2010 at 08:23:13PM +0100, Tony Houghton wrote: >>> >>>I'm a sponsored maintainer (of roxterm) and I've just approached a >>>local DD to have my key signed. He pointed out that SHA1-generated >>>keys are deprecated so I should probably generate a new, more secure, >>>key. As my old key is already presumably "in the system" due to >>>existing versions of roxterm, how should I go about replacing it with >>>a new one? To generate a new key, please follow the instructions at: http://keyring.debian.org/creating-key.html >>There is nothing to replace. Your source package always gets rebuilt >>by your sponsors and signed by their own gpg key, i.e. they are >>responsible for the upload in the same way they are responsible for >>their own packages uploads. You can check that out with 'who-uploads >>source_package_name'. It's still a good thing to raplace your SHA-1 key with a new 4K RSA key. >OK, that makes sense. Please read "HOWTO prep for migration off of SHA-1 in OpenPGP" available at: http://www.debian-administration.org/users/dkg/weblog/48 The webpage at the address above will help you to migrate your web-of-trust to the new 4K RSA key.
Attachment:
signature.asc
Description: Digital signature