On Tue, Feb 10, 2026 at 10:17:55PM +0000, Jonathan Dowland wrote:
Congratulations on tag2upload GA!
I've done some initial experimentation with it and I've got a quick
question.
tag2upload created a signed tag (archive/debian/3.20260201-2 for
ikiwiki) signed by one of the service keys,
374D8CE4DB96E9CBD4C0972A606D084E4683C079, which I can get from the
package debian-tag2upload-keyring -- has there been any discussion
about shipping this in debian-keyring?
keyring-maint were asked about this, and no benefit + additional
overhead compared to the tag2upload folk managing their own keyring were
seen. This key would have to live on its own, rather than in the
developer keyring, as it does not have identical properties.
The key has two signatures,
sig 2AE5E34C84B4B055 2025-03-14 [User ID not found]
sig E3E3392348B50D39 2025-03-14 [User ID not found]
0xE3E3392348B50D39 is Ian and would normally be in debian-keyring but
was dropped in the version in sid for some (likely temporary) reason.
Keyring changes are public once pushed to the active keyring:
https://salsa.debian.org/debian-keyring/keyring/-/commit/ec27c4c712f8a14a6b810c28763347aca4590326
https://salsa.debian.org/debian-keyring/keyring/-/commit/569e8a55e9cd38d4878d7a3adcd76f4d38635cf3
The other (2AE5E34C84B4B055) I can't find anywhere. It would be nice
(although, by no means essential) if I could build a trust path to the
key. Mostly for curiosity. Can anyone point me at the owner of
2AE5E34C84B4B055?
$ onak index 0x2AE5E34C84B4B055
Type bits/keyID Date User ID
pub 4096R/0x2AE5E34C84B4B055 2010/05/01 Ian Jackson (new master certification key)
<[email protected]>
Ian's certification key, as opposed to his general use key.
J.
--
Maths and alcohol don't mix. Don't drink and derive.
