On Mon, 29 Sept 2025 at 17:32, Steffen Möller via Emc-developers <[email protected]> wrote: > > The bitlength should be 4096 (https://wiki.debian.org/Keysigning). > I do not have any immediate idea. The Debian developer keys should be > distributed already with our users, so I guess they could verify > the package if I or Petter signs it. Also, I read about a repository > signed by multiple keys, but have not found any further respective > instructions - guess something like
Looking at this further, it seems that the Release and Release.gpg file in each distribution repository are signed individually. Currently these use the "EMC Archive Signing Key" (that I have) https://github.com/LinuxCNC/infrastructure/blob/master/update-deb-archive#L34 So we just need to sign Trixie+ with a new, longer key. Currently the key is installed either by the user running this script: https://www.linuxcnc.org/linuxcnc-install.sh Or is included on the ISO: https://github.com/LinuxCNC/linuxcnc-live-build/tree/bookworm/config/archives I think that the script and ISO could simply both install the new key in addition to the old one, and all should be well. So that just leaves the task of creating a new key and getting it on to the Ubuntu keyserver. Does anyone know enough about keys to know if the keys in our live-build are signed by an authority? (or can we only tell that from the private key, that AFAIK only myself and Seb have) -- atp "A motorcycle is a bicycle with a pandemonium attachment and is designed for the especial use of mechanical geniuses, daredevils and lunatics." — George Fitch, Atlanta Constitution Newspaper, 1912 _______________________________________________ Emc-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/emc-developers
