On Thu, Dec 05, 2024 at 11:39:30AM -0000, Peter Oliver wrote: > Zbigniew Jędrzejewski-Szmek wrote: > > > As to the implementation: the distro has a historical list of all keys > > used to sign its packages. For any given release we know which keys > > are "old". In some fixed location, distribute a file that lists the > > hashes of "old keys" (old relative to the current distro release). > > In case of Fedora this could be distributed by fedora-release package. > > Whenever the user does an upgrade that adds _new_ keys, look at the > > list generated by 'rpmkey --list' and for each key also on the list of > > "old keys" query for removal. > > That’s fine for what it is, but it doesn’t help with keys for third-party repositories. > > I think the approach of looking in /etc/yum.repos.d/, and removing anything not referenced from there (as suggested at https://docs.fedoraproject.org/en-US/quick-docs/upgrading-fedora-offline/#sect-clean-up-old-keys) is better. Thanks for the link. I didn't know about clean-rpm-gpg-pubkey. Looking at repo definitions is a good idea. But it doesn't seem to work: $ clean-rpm-gpg-pubkey --dry-run gpg: Warning: using insecure memory! gpg: Warning: using insecure memory! gpg: Warning: using insecure memory! gpg: Warning: using insecure memory! gpg: no valid OpenPGP data found. Could not import https://copr-be.cloud.fedoraproject.org/results/@python/python3.11/pubkey.gpg at /usr/bin/clean-rpm-gpg-pubkey line 87. :( Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue