[clug] Re-signing Debian Packages
Ambrose Andrews
ambrose at vrvl.net
Fri Jan 13 02:08:54 UTC 2023
On 13/1/23 10:09, jm via linux wrote:
> On 13/1/23 09:34, Tony Lewis via linux wrote:
>> From a security view, perhaps it would be the least worst to validate
>> against the old expired key first before resigning with the new key.
>> Sorry I don't have much experience with package signing itself.
>>
> That's what I'd like to tell it to do. Keep using the old key. Just
> pretend it hasn't expired. However, I don't see an option for that the
> closest I've been able to get to work is adding "[trusted=yes]" to the
> /etc/apt/source.list file which ignores it.
>
Given you have stated your constraints and choices, I will hold my tongue.
As for the signing for the last decade at least it's not that individual
packages are signed but a release file containing hashes of the packages
in the archive.
You might need to make your own local (or enterprise specific) archive
using a tool like debmirror or apt-move (or something more recent
probably), including a signed release file with a key of your own. This
key would want to be added to the all the machines in ways documented in
the Debian wiki:
https://wiki.debian.org/DebianRepository/UseThirdParty. The details of
this do depend I think on how old is the release you are stuck on.
There was previously apt-key which is deprecated but has a manpage.
There is a tool called aptly which might be helpful for creating a
custom repository / mirror. https://www.aptly.info/
-AA.
>> Is this an ongoing issue (i.e. these legacy systems will endure) or
>> part of migrating off to a newer version? If the former, then just
>> keep in mind how you did it, so that before your new key expires, you
>> could make a decision to re-resign with a new new key.
>
>
> Ongoing enduring legacy system with no path to move way from the old
> distro. Worse, in this context, more systems are being added. We have
> an internal mirror we use so none of the traffic is out on the
> Internet. Letting use get away with the less than ideal
> "[trusted=yes]". Hence, I would ideally like something which would
> simply ignore the expiry or let me easily resign the packages with our
> own keys which we can then deploy. It's really a lesser of two evils
> situation.
>
> Jeff.
>
>
--
--https://social.librem.one/@znalo
--LPO box 8274, ANU, ACT 0200 Australia
More information about the linux
mailing list