Hello, On Tue, Mar 18, 2025 at 02:20:26AM +0100, Guillem Jover wrote: > It would be nice to stop accepting new updates that regress on this > front. And ideally to start a new campaign like had been done in the > past for other issues about weak keys/certificates.
Something like this might implement the "stop accepting new updates"
part. It's a bit more strict than suggested because it refuses all
updates if the new key is broken.
diff --git a/scripts/add-key b/scripts/add-key
index 313719fe1d48..d38437016728 100755
--- a/scripts/add-key
+++ b/scripts/add-key
@@ -61,6 +61,10 @@ else
gpg --quiet --keyserver keyserver.ubuntu.com --recv-key $1 || true
gpg --quiet --keyserver the.earth.li --send-key $1
fi
+
+echo "Inspect new key with Sequoia:"
+sq cert lint --cert=$keyid
+
gpg --keyring output/keyrings/debian-keyring.gpg \
--keyring output/keyrings/debian-nonupload.gpg --check-sigs \
--with-fingerprint --keyid-format 0xlong 0x$keyid | \
diff --git a/scripts/replace-key b/scripts/replace-key
index caad4990b20e..d93ab21d977d 100755
--- a/scripts/replace-key
+++ b/scripts/replace-key
@@ -39,6 +39,8 @@ gpg --no-auto-check-trustdb --options /dev/null \
--export-options export-clean,no-export-attributes \
--export "$newkey" > $newkeytemp
+sq cert lint ----cert-file="$newkeytemp"
+
# strip leading 0x from fingerprints
oldkey=${oldkey##0x}
newkey=${newkey##0x}
diff --git a/scripts/update-key b/scripts/update-key
index 769a0805ef4d..45f3847d0cac 100755
--- a/scripts/update-key
+++ b/scripts/update-key
@@ -82,6 +82,7 @@ while [ "x$n" = "xa" -o "x$n" = "xA" ]; do
echo $summary
echo
scripts/gpg-diff $keydir/0x$keyid $GNUPGHOME/0x$keyid
+ sq cert lint --cert-file="$GNUPGHOME/0x$keyid"
) | sensible-pager
echo "Are you sure you want to update this key? (y/n/a: Yes/No/Again)"
Best regards
Uwe
signature.asc
Description: PGP signature
