Web lists-archives.com

Re: Expired GPG keys of older release




On 6/23/2018 8:58 AM, tomas@xxxxxxxxxx wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 22, 2018 at 11:48:00PM -0500, David Wright wrote:
On Fri 22 Jun 2018 at 21:12:51 (+0200), tomas@xxxxxxxxxx wrote:

[...]

Well, I attempted to supply that in
https://lists.debian.org/debian-user/2018/06/msg00528.html
but I have no idea whether that would be achievable in docker
or not because the suggestion has had no follow-up.

I'm not the docker guy, and there are lots of "interesting" things
around, so I won't be the one. But I'm curious too...

BTW Reading your "Keys *have* to expire at some point, and you can't
re-sign archived packages with a fresh key", it's not clear why the
expired key can't be unexpired, ie given an expiration date in the
future, if it's known to be still good.

Yes, you're right: a GPG key's validity can be extended with a new
certificate (whether it's responsible to do is another thing, since
available computing power grows, *and* there has been more time to
hack at this key, its crypto, and for things to leak). So practically
speaking still keys have to expire at some point.


Or maybe key transitioning could be an option:

https://www.apache.org/dev/key-transition.html

--
John Doe