[clug] Re-signing Debian Packages (answer)
jm
jeffm at ghostgun.com
Tue Jan 17 00:31:29 UTC 2023
It must be different between various versions of gpg. The version I used
prompted for details including the desired expiry.
And, good point about checking the validity of the Releases file. Always
good practice. I assumed that here as it's what we have been using all
this time which may be a little slack if you are concerned with adhering
to a practice which will more likely maintain security.
Jeff.
On 17/1/23 09:40, Tony Lewis via linux wrote:
> Hi Jeff,
>
> If it suits your risk appetite, you can up the security a little...
>
> On 17/1/23 08:39, jm via linux wrote:
>> Replying to myself to make this easier to find. These are the rough
>> steps which appear to have solved the problem of having the Debian
>> repo signed by an expired key. It's still yet to get extensive
>> testing, but the initial tests shows this works.
>>
>> 1. Create a new Key
>>
>> $ gpg --gen-key
>
> If you use --full-gen-key you can add expiry dates and other metadata
> like names that might benefit you.
>
> <snip>
>
> Also don't forget it might be beneficial to validate `Release` against
> the old key before blindly signing it
>
> Tony
>
>
>>
>> Jeff.
>>
>>
More information about the linux
mailing list