Re: Archive GPG key expiring process
David Hubner:
> Hi,
>
> I am just wondering about a hypothetical situation where the master GPG key
> used for signing the debian archive was stolen. After creating a new master
> key and getting a new public key into the debian-keyring package, how would
> you get that to users?
>
> I mean if you resigned the release file after the attack happened with a
> new master key that would mean nobody could apt-get the debian-keyring
> package for the new public key.
>
> I am wondering if I am missing something. Is there a process for this
> possibility?
>
> Thanks
>
Debian has no good mechanism to revoke apt keys in case of compromise,
neither a way to inform users in emergency situations:
https://lists.debian.org/debian-security/2013/10/msg00065.html
An apt key revoker should be written:
https://lists.debian.org/debian-security/2013/12/msg00031.html
It's on my list, but I never got to it:
https://github.com/Whonix/Whonix/issues/125
So anyone feel encouraged to do something about it.
Cheers,
Patrick
Reply to: