Package: debian-keyring Version: 2024.03.24 Severity: normal X-Debbugs-Cc: Daniel Kahn Gillmor <d...@fifthhorseman.net>, ftpmas...@ftp-master.debian.org, ftpmas...@debian.org
I receive e-mail messages from the debian FTP archive-processing software are signed with F38AA24EB85F09F9923CA4949BF6A82061CCB921, and labeled as From: ftpmas...@ftp-master.debian.org, but the associated OpenPGP certificate is not found in /usr/share/keyrings/. I expected to find it in /usr/share/keyrings/debian-role-keys.gpg, but it wasn't there. It also wasn't published on any of the common OpenPGP keyservers, that i could find. And it's not published via WKD or DANE in the places i'd expect it to be for the mail addresses in the in the certificate's user IDs (ftpmas...@ftp-master.debian.org and ftpmas...@debian.org). It can be found (with no third-party certifications) in the "Upload Processing Keys" section of https://ftp-master.debian.org/keys.html. If these role keys are legitimate, then: - they should be certified by at least a few Debian Developer's certificates, hopefully some folks from the FTP team who would know which certificate is the right one. - they should probably be distributed in the debian-keyring package, perhaps as part of the debian-role-keys.gpg file. I note that the User IDs in those keys contain a parenthesized comment (2022). User ID comments are generally a bad idea [0], and this is no exception. [0] https://dkg.fifthhorseman.net/blog/openpgp-user-id-comments-considered-harmful.html If you want to communicate a date range about when these keys should be acceptable, the right way to do that is explicitly in the metadata fields associated with the certificates (e.g. key creation time, key expiration time). Reasonable OpenPGP tooling should adequately report and handle that metdata in a standardized way. I recommend for OpenPGP certificates like this, to start off with a 2-year expiration window, and when there is 1 year left to go, if you think the signing secret key is still valid and will be for longer, renew the expiration to another year out. Those moments of certificate update are also good moments to publish the certs via hkps at https://keyring.debian.org/ as well. Regards, --dkg -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) debian-keyring depends on no packages. Versions of packages debian-keyring recommends: ii gnupg 2.2.40-1.1 debian-keyring suggests no packages. -- no debconf information
signature.asc
Description: PGP signature