On Tue, Dec 03, 2024 at 05:18:12PM +0000, Aoife Moloney via devel-announce wrote: > Wiki - https://fedoraproject.org/wiki/Changes/Dnf5ExpiredPGPKeys
> The proposed solution is a new LIBDNF5 plugin. This plugin will act as > a hook, checking for invalid repository PGP keys on the system before > executing a DNF transaction. > > * '''Interactive mode''': The plugin will prompt the user to confirm > the removal of each invalid key. > * '''Non-interactive mode''' (e.g., with `-y` or `--assumeno`): The > plugin will proceed automatically based on the specified user action, > either removing the keys or retaining them. This is an improvement over the current state, but (based on the description here and a brief look at the discussion in the ticket), it seems like valid-but-obsolete keys will not be removed. I think that they definitely should, as soon as the last package using them is removed. On one of my systems: $ rpmkeys --list 9507687b-5c7935d9: gpg(@python_python3.8 (None) <@python#[email protected]>) cfc659b9-5b6eac67: gpg(Fedora (30) <[email protected]>) 3c3359c4-5c6ae44d: gpg(Fedora (31) <[email protected]>) 12c944d0-5d5156ab: Fedora (32) <[email protected]> public key fd189222-55ffebf5: rpmsoftwaremanagement_dnf-nightly (None) <rpmsoftwaremanagement#[email protected]> public key 429476b4-5a886537: gpg(Fedora 29 (29) <[email protected]>) 9570ff31-5e3006fb: Fedora (33) <[email protected]> public key 45719a39-5f2c0192: Fedora (34) <[email protected]> public key 9867c58f-601c49ca: Fedora (35) <[email protected]> public key bbdb9e20-60d98a7d: jmracek_weak_excludes (None) <jmracek#[email protected]> public key 38ab71f4-60242b08: Fedora (36) <[email protected]> public key 2d9de8df-61378de3: @fedora-llvm-team_llvm-snapshots (None) <@fedora-llvm-team#[email protected]> public key 5323552a-6112bcdc: Fedora (37) <[email protected]> public key 2d20b9c6-61555dd9: @python_python3.11 (None) <@python#[email protected]> public key eb10b464-6202d9c6: Fedora (38) <[email protected]> public key fe562d49-5fca4469: rpmsoftwaremanagement_dnf5-unstable (None) <rpmsoftwaremanagement#[email protected]> public key 18b8e74c-62f2920f: Fedora (39) <[email protected]> public key a15b79cc-63d04c2c: Fedora (40) <[email protected]> public key e99d6ad1-64d2612c: Fedora (41) <[email protected]> public key bb87e215-65428be0: zbyszek_nixos (None) <zbyszek#[email protected]> public key bb41cc10-66162ab1: zbyszek_merged-sbin (None) <zbyszek#[email protected]> public key 105ef944-65ca83d1: Fedora (42) <[email protected]> public key I'd like to see behaviour where keys for EOL releases are removed as soon as possible. I.e. if I have upgraded to F42, but still have a package from F39, then keep the key for F39 so that rpm doesn't faceplant. But as soon as I remove the last package signed with that key, remove the key automatically. Does the proposed plugin implement something like this, and if not, would it be possible? > Note that not all keys have a defined end of validity date. Yeah. And they really shouldn't, because the packages that were once signed remain valid with no defined EOL. Do our package signing keys have end date? $ rpm -q --qf "%{DESCRIPTION}" gpg-pubkey-18b8e74c-62f2920f | gpg --show-keys --with-colon | cut -d':' -f7 gpg: Warning: using insecure memory! Zbyszek -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
