On 31/10/17 18:46, Simo Sorce wrote: > On Tue, 2017-10-31 at 17:34 +0200, Panu Matilainen wrote: >> On 10/31/2017 04:57 PM, Stephen Gallagher wrote: [...snip...] >>> Correct me if I'm wrong, but we only check keys at installation >>> time, so >>> they'd be able to continue running just fine, but they'd be denied >>> if >>> they tried to reinstall it after F21 is EOL. Which seems perfectly >>> reasonable to me; if you're using an EOL operating system, forcing >>> people to have to pass --no-gpgcheck is a great way to get them to >>> pause >>> and reconsider their situation. >> >> Actually rpm by default checks signatures on queries and >> verification >> too, so there is some value in keeping the keys there, at least for >> keys >> that are actually in use. >> > > Is it possible to mark keys so they can be used for verification but > not for installation of new packages ?
Can't key revocation status be used for this? IIRC, it is possible to verify existing signatures with revoked keys, so yum/dnf just need reject doing verification during install if the key is revoked. > My personal worry is that old keys may get compromised over time, so it > is a very good practice to regularly "disable" old keys. +1 -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
