[clug] Re-signing Debian Packages

Tony Lewis tony at lewistribe.com
Thu Jan 12 22:34:54 UTC 2023


 From a security view, perhaps it would be the least worst to validate 
against the old expired key first before resigning with the new key.  
Sorry I don't have much experience with package signing itself.

Is this an ongoing issue (i.e. these legacy systems will endure) or part 
of migrating off to a newer version?  If the former, then just keep in 
mind how you did it, so that before your new key expires, you could make 
a decision to re-resign with a new new key.

Tony

On 13/1/23 08:04, jm via linux wrote:
> Allows the continued use of the existing package management without 
> ignoring the signature while
>  * Being Feasible
>  * Doable by one person in less than a few weeks while still having 
> time to do other things
>  * Doesn't involve a major overhaul or other disruption
>
> I'm sure I could more, but you get the general idea.
>
> Jeff.
>
> On 12/1/23 21:55, Tony Lewis via linux wrote:
>> What's "better" in this context?  More secure?  Or convenience?
>>
>> Tony
>>
>> On 12/1/23 11:08, jm via linux wrote:
>>> I've run into a problem with a set of legacy systems which are very 
>>> much stuck on an old version of debian for which the GPG package key 
>>> has expired. It's possible to ignore the GPG key and have apt manage 
>>> the packages regardless, but I was wondering if anyone new of a 
>>> better way? The one that comes to mind is, would it be possible to 
>>> resign the packages with a new in-house key? if so, how would this 
>>> be done and what would be involved?
>>>
>>> And, to short circuit this suggestion, it's not possible to do a 
>>> distro upgrade.
>>>
>>> Jeff.
>>>
>>>
>>>
>
>


More information about the linux mailing list