*Hi Andy,
I dug into what's actually published to answer your worry about user impact.
The lost key is the RSA 4096 one, keyid E43B5A8E78CC2927, UID "LinuxCNC
Archive Signing Key". It's the key currently signing the Trixie repo
(the InRelease from 27 June is signed by it), so Trixie users do already
trust it. Your instinct is right: replacing it means those users have to
pick up the new key.
The good news is nothing breaks immediately. The already-published
Trixie Release stays verifiable with the copy of the public key users
already have. The real problem is that you can't sign a new Release
until we rotate, so this blocks repo updates rather than breaking
anyone's existing setup.
One thing to be aware of: we can't do a painless "dual-signed"
transition. Normally you'd sign the repo with both the old and new key
for a while so users pick up the new one automatically, then drop the
old. That needs the old private key, which is gone, and the legacy
DSA1024 key can't sign Trixie because Trixie rejects DSA1024. So it has
to be a clean cut, and Trixie users will need the new key once.
Suggested plan:
Generate a new RSA 4096 archive key. This time generate a revocation
certificate and keep an offline backup of both the private key and the
revcert.
Re-sign the affected Release files with the new key and publish the new
public key (keyserver plus the install script).
Ship the archive key as a keyring .deb inside the repo. That way this is
the last manual rotation: future key changes get delivered automatically
through apt update. First adoption still needs one manual import, but
only once.
Announce on the forum and here with a one-line import command for
existing users.
The lost key can't be formally revoked since there's no revocation
certificate, but that's harmless for archive signing; we just mark it
retired in the announcement. Your release-tag signing key is separate
and unaffected.
Cheers,
Luca
*
On 7/3/2026 9:24 AM, andy pugh wrote:
When I took over from Seb as release manager he gave me a couple of
keys, one to sign the release tags and one to sign the archives.
With the release of Trixie the requirements for archive signing keys
were made stricter, so I made a new 4096 bit key and put that on a
keyserver.
Unfortunately I have managed to lose this new private key. Assuming I
can't find a backup anywhere, what is the best way to proceed? I think
that creating a new key for Trixie will mean that Trixie users will
need to get a new key from the keyserver, but I am not 100% sure about
this. The whole gpg key / archive signing thing is a bit of a mystery
to me.
_______________________________________________
Emc-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/emc-developers