[Mageia-dev] PGP keys and package signing

Mon Jan 31 12:43:17 CET 2011

* Christophe Fergeau (cfergeau at gmail.com) wrote:
+> Hey,
+> 
+> 2011/1/31 nicolas vigier <boklm at mars-attacks.org>:
+> >  - In case we think the packages@ key may have been compromised, or is
+> >   too old, or we want to change it for any other reason, we revoke the
+> >   key, and/or revoke the signature from board@ so that it is no
+> >   longer accepted by urpmi. We create a new key, we sign it with
+> >   the board@ key and we can start to use this new key.
+> 
+> Will all existing packages be reviewed and resigned when they key is
+> thought to have been compromised? What happens on user systems when
+> this is done? Will they have to reinstall all packages signed with the
+> new key?
+
+Re-signing packages will not change their name-evr-arch, so on urpmi/rpm
+side packages does not have to be updated. But from a user point of view
+they installed packages (then checked it) before the compromission, ie
+when packages were trustable.
+
+So in case of compromission packages must be resigned but I don't think
+users have to reinstall it as their content won't changes.
+
+In the case a packages is compromised (a package with malware is
+introduced on the mirror) then we'll have to provide an update with a
+clean package and in this specific case users will have to update it.
+
+> 
+> Christophe
+-- 
+
+Olivier Thauvin
+CNRS  -  LATMOS
+♖ ♘ ♗ ♕ ♔ ♗ ♘ ♖
+-------------- next part --------------
+A non-text attachment was scrubbed...
+Name: not available
+Type: application/pgp-signature
+Size: 197 bytes
+Desc: not available
+URL: </pipermail/mageia-dev/attachments/20110131/4b41d3ff/attachment.asc>
+