On 2019-06-10 13:09:52 -0400 (-0400), Kyle Edwards wrote: > On Mon, 2019-06-10 at 16:56 +0000, Jeremy Stanley wrote: [...] > > 6. To allow for easier manual verification of key transitions, > > always sign new keys with their predecessors when creating them. > > We haven't signed the new key at the GPG key-signing level, but we've > effectively signed it at the APT level by publishing it in the > repository 6 months before it gets used. [...]
Yep, it's effectively the same if your focus is solely on "secure APT" package repository signing. For us the signing of keys directly becomes more useful where they're employed to secure other sorts of artifacts (source tarballs, language-ecosystem-specific packages, docker images, even our Git tags are signed by automation following review and approval of a release request). -- Jeremy Stanley
signature.asc
Description: PGP signature
