-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 19, 2018 at 09:22:22AM +0200, Adam Cecile wrote: > Hello, > > > GPG key that signed the Squeeze repo is now expired. How should I > handle this properly ? Despite the key is expired, it use to be > valid and I don't like much the idea of going for [trusted=yes] for > each impacted sources.list entry.
Squeeze is, as others have noticed, beyond "end-of-life". That means that it is "archived". It won't change. Ever. Re-signing the packages with fresh keys would mean "change". Bad idea. And just extending the keys' validity (as someone proposed in this thread) seems a bad idea too, since the requirement for secure keys evolves over time, as the NSA^H^H^H bad guys buy more GPUs. So as far as I see it, there's no easy solution to that. I guess you'll have to live with an expired key. Perhaps one could talk the Apt folks into treating expired keys in a different way than plain invalid or non-existing ones. I wouldn't hold my breath, though. Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlsqAF4ACgkQBcgs9XrR2kY9tQCffzppTznd/U5l0HKW8q3uVya3 oCIAn14QUYeEe64pbqTEmXHe8ipWH/SN =AG66 -----END PGP SIGNATURE-----