[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Archive GPG key expiring process


That is not correct. Missing key does not disable installation feature of package manager.

1. You can import key manually. Like this:

sudo apt-key adv –keyserver subkeys.pgp.net –recv-keys XXXXXX

2. Even with non-imported key apt-get/aptitude will allow you to install software (including debian-keyring), though it will ask extra question if you trust this repository without key in your system like this:

Requires installation of untrusted packages
The action would require the installation of packages from unauthenticated sources.

Or even you can avoid such mesage with --allow-unauthenticated option.


17.10.2014, 20:30, "David Hubner" <david.hubner@smoothwall.net>:
> Hi,
> I am just wondering about a hypothetical situation where the master GPG key used for signing the debian archive was stolen. After creating a new master key and getting a new public key into the debian-keyring package, how would you get that to users?
> I mean if you resigned the release file after the attack happened with a new master key that would mean nobody could apt-get the debian-keyring package for the new public key.
> I am wondering if I am missing something. Is there a process for this possibility?
> Thanks
> --
> David Hubner
> Software Engineer
> david.hubner@smoothwall.net
> Smoothwall Ltd
> 1 John Charles Way, Leeds, LS12 6QA United Kingdom
> Telephone:  USA: 1 800 959 3760  Europe: +44 (0) 8701 999500
> www.smoothwall.net
> Smoothwall Limited is registered in England, Company Number: 4298247.  This email and any attachments transmitted with it are confidential to the intended recipient(s) and may not be communicated to any other person or published by any means without the permission of Smoothwall Limited.  Any opinions stated in this message are solely those of the author.

Reply to: