Re: Expired GPG keys of older release
- Date: Wed, 20 Jun 2018 09:21:02 +0200
- From: <tomas@xxxxxxxxxx>
- Subject: Re: Expired GPG keys of older release
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Jun 19, 2018 at 09:22:22AM +0200, Adam Cecile wrote:
> GPG key that signed the Squeeze repo is now expired. How should I
> handle this properly ? Despite the key is expired, it use to be
> valid and I don't like much the idea of going for [trusted=yes] for
> each impacted sources.list entry.
Squeeze is, as others have noticed, beyond "end-of-life". That means
that it is "archived". It won't change. Ever.
Re-signing the packages with fresh keys would mean "change". Bad idea.
And just extending the keys' validity (as someone proposed in this
thread) seems a bad idea too, since the requirement for secure keys
evolves over time, as the NSA^H^H^H bad guys buy more GPUs.
So as far as I see it, there's no easy solution to that. I guess
you'll have to live with an expired key.
Perhaps one could talk the Apt folks into treating expired keys
in a different way than plain invalid or non-existing ones. I
wouldn't hold my breath, though.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----