On Tue, 31 Oct 2017, David Cantrell wrote:
> I don't really consider this a thing about saving space or making the
> output of 'rpm -qa' look nicer or something, but rather being good users
> of GPG.
As noted but not addressed, which keys actually have been
signed at GnuPG key-signing WoT 'parties? Which are presently
on the public key-server constellation?
The answer:
Of the 38 keys on:
https://getfedora.org/keys/ and
https://getfedora.org/keys/obsolete.html
ZERO are -- one (0xF5282EE4) seems to be a collision artifact
[1]
> If we create and then phase out signing keys, then part of
> our process should also involve sending revocations for the
> old keys.
but the ** private keys ** were never released or public
anyway ... Revoking a ** public key ** (which is the keys in
the RPM db in discussion) is useless as all it permitted doing
was (and is) verifying that a proper private key existed at a
place and point in time to sign that package. It is EPEL (thus
at least one part of fedora) practice to do so already
> And that process could be automated by a dnf plugin too.
> Leaving old keys around on the system for verification
> purposes presents a risk should the old key become
> compromised.
so shred the HSM holding the private key ...
This thread is time wasting and posturing
-- Russ herrold
1. the audit script is at:
http://gallery.herrold.com/stuff/harvest-keys.sh
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
