[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Archive GPG key expiring process

David Hubner:
> Hi,
> I am just wondering about a hypothetical situation where the master GPG key
> used for signing the debian archive was stolen. After creating a new master
> key and getting a new public key into the debian-keyring package, how would
> you get that to users?
> I mean if you resigned the release file after the attack happened with a
> new master key that would mean nobody could apt-get the debian-keyring
> package for the new public key.
> I am wondering if I am missing something. Is there a process for this
> possibility?
> Thanks

Debian has no good mechanism to revoke apt keys in case of compromise,
neither a way to inform users in emergency situations:

An apt key revoker should be written:

It's on my list, but I never got to it:

So anyone feel encouraged to do something about it.


Reply to: