On Tue, 31 Oct 2017, David Cantrell wrote: > I don't really consider this a thing about saving space or making the > output of 'rpm -qa' look nicer or something, but rather being good users > of GPG. As noted but not addressed, which keys actually have been signed at GnuPG key-signing WoT 'parties? Which are presently on the public key-server constellation? The answer: Of the 38 keys on: https://getfedora.org/keys/ and https://getfedora.org/keys/obsolete.html ZERO are -- one (0xF5282EE4) seems to be a collision artifact [1] > If we create and then phase out signing keys, then part of > our process should also involve sending revocations for the > old keys. but the ** private keys ** were never released or public anyway ... Revoking a ** public key ** (which is the keys in the RPM db in discussion) is useless as all it permitted doing was (and is) verifying that a proper private key existed at a place and point in time to sign that package. It is EPEL (thus at least one part of fedora) practice to do so already > And that process could be automated by a dnf plugin too. > Leaving old keys around on the system for verification > purposes presents a risk should the old key become > compromised. so shred the HSM holding the private key ... This thread is time wasting and posturing -- Russ herrold 1. the audit script is at: http://gallery.herrold.com/stuff/harvest-keys.sh _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
