On Wed, 2019-01-16 at 08:55 +0100, Axel Beckert wrote: > > > # summary of how this script can be called: > # * <postinst> `configure' <most-recently-configured-version> > [...] > case "$1" in > configure) > # configure the control channel if run for the first time > if [ -z "$2" ]; then > dnssec-trigger-control-setup > fi > ;; > > So as I read it, dnssec-trigger-control-setup is only called if there > was no previously configured version installed and is hence never > called when upgrading the package and hence never removes, the too > small old keys on upgrade. >
I'm tired enough I wanted to double check the logic of a solution before trying to implement it. the check to remove too small keys should probably be moved out of dnssec-trigger-control-setup and into the postinst script. Then the "if [ -z "$2" ]" conditional in the post should be replaced with checking for the existence of the keys instead of the package version number to decide if the control-setup script is called. Something like configure) debian_remove_small_keys $SERVER debian_remove_small_keys $CONTROL if [ \! -e /etc/dnssec-trigger/dnssec_trigger_control.key ]; then dnssec-trigger-control-setup fi How's that sound to you? Diane