Anthony Towns wrote: > The key we'll be using (and indeed are already using) is available as: > > http://ftp-master.debian.org/archive-key-4.0.asc > > It's expected to be valid until sometime after lenny is released.
I feel that we've been pretty miserable at communicating this stuff to our developers and our users. While I knew about the etch key (hard to miss it, given the ugly behavior it caused in apt when the archive was signed with it, before it reached debian-archive-keyring), it wasn't at all clear that it would be used to sign anything other than etch. I've tried to update http://wiki.debian.org/SecureApt to reflect what you've said. I'm still not clear what will happen to the still existing yearly signing key though. It's hard to predict what will happen if we reach 2007-02-07 and 2D230C5F expires. I think that due to #400526, it will at least break debmirror. If we're phasing out the yearly signing key, we should be sure to stop signing the archive with it, before it expires. Obviously, if we're not phasing it out, we have a rapidly shrinking window to create the 2007 key. -- see shy jo
signature.asc
Description: Digital signature