It appears from buildbot 2, we already have 2 keys. One for Bookworm and one
for Buster and Older
ref: http://buildbot2.highlab.com/
Buildbot 2 probably needs to be updated to reflect the new 4096 bit key for
Trixie.
Also the key location suggested by buildbot2 may not be compliant as I
don't think storing under the /etc/apt folder is best practice today.
I don't think changing keys is a major issue. Our ISO installer includes the
key for the ethercat master which only has a 2 year life. Refreshing the key in
our installer was a trivial issue once they provided me with the details.
Note our installer installs keys and apt list files from this folder in our
repo
https://github.com/LinuxCNC/linuxcnc-live-build/tree/bookworm/config/archives
Rod
On 2025-09-30 02:30, Steffen Möller via Emc-developers
<[email protected]> wrote:
> The bitlength should be 4096 (https://wiki.debian.org/Keysigning).
> I do not have any immediate idea. The Debian developer keys should be
> distributed already with our users, so I guess they could verify
> the package if I or Petter signs it. Also, I read about a repository
> signed by multiple keys, but have not found any further respective
> instructions - guess something like
> https://stackoverflow.com/questions/37725969/several-pgp-signatures-for-one-file
> which if that works possibly maintains compatibility for ealier releases
> of Debian.
>
> There may not be a way around creating a new LinuxCNC repository key.
> I suggest to sign that key with the old key and have it on various
> keyservers and/or our website. With Petter and me signing that key,
> I guess that key will then be trusted.
>
> Best,
> Steffen
>
>
>
> > Gesendet: Montag, 29. September 2025 um 13:27
> > Von: "andy pugh" <[email protected]>
> > An: "EMC developers" <[email protected]>
> > Betreff: [Emc-developers] Archive Signing Key
> >
> > It appears that Trixie rejects the current archive signing key
> > (elg2048) as not secure enough.
> >
> > I could, in theory, generate a new key and re-sign the archive,
> >
> > But then all our existing user base would have an installed key that
> > does not work.
> >
> > Does anyone who knows more about archive signing keys than me have any
> > thoughts on how to proceed?
> >
> > (To know more than me you only need to know more than I have put in
> > the email above, I have just been blindly signing the repo with the
> > key that Seb gave me)
> >
> > --
> > atp
> > "A motorcycle is a bicycle with a pandemonium attachment and is
> > designed for the especial use of mechanical geniuses, daredevils and
> > lunatics."
> > — George Fitch, Atlanta Constitution Newspaper, 1912
> >
> >
> > _______________________________________________
> > Emc-developers mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/emc-developers
> >
>
>
> _______________________________________________
> Emc-developers mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/emc-developers
_______________________________________________
Emc-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/emc-developers
