[clug] Re-signing Debian Packages
Tony Lewis
tony at lewistribe.com
Thu Jan 12 22:34:54 UTC 2023
From a security view, perhaps it would be the least worst to validate
against the old expired key first before resigning with the new key.
Sorry I don't have much experience with package signing itself.
Is this an ongoing issue (i.e. these legacy systems will endure) or part
of migrating off to a newer version? If the former, then just keep in
mind how you did it, so that before your new key expires, you could make
a decision to re-resign with a new new key.
Tony
On 13/1/23 08:04, jm via linux wrote:
> Allows the continued use of the existing package management without
> ignoring the signature while
> * Being Feasible
> * Doable by one person in less than a few weeks while still having
> time to do other things
> * Doesn't involve a major overhaul or other disruption
>
> I'm sure I could more, but you get the general idea.
>
> Jeff.
>
> On 12/1/23 21:55, Tony Lewis via linux wrote:
>> What's "better" in this context? More secure? Or convenience?
>>
>> Tony
>>
>> On 12/1/23 11:08, jm via linux wrote:
>>> I've run into a problem with a set of legacy systems which are very
>>> much stuck on an old version of debian for which the GPG package key
>>> has expired. It's possible to ignore the GPG key and have apt manage
>>> the packages regardless, but I was wondering if anyone new of a
>>> better way? The one that comes to mind is, would it be possible to
>>> resign the packages with a new in-house key? if so, how would this
>>> be done and what would be involved?
>>>
>>> And, to short circuit this suggestion, it's not possible to do a
>>> distro upgrade.
>>>
>>> Jeff.
>>>
>>>
>>>
>
>
More information about the linux
mailing list