Debian 11 seems to still point at 2.9.9

Fetched 402 MB in 3s (158 MB/s)
E: Failed to fetch https://www.linuxcnc.org/dists/bullseye/2.9-uspace/binary-amd64/linuxcnc-uspace_2.9.9_amd64.deb 404 Not Found [IP: 69.163.143.134 443]

This is from my linuxcnc-ethercat CI building for Debian 11, I set it up to get from the the linuxcnc repo, seems broken...


On 7/3/2026 9:56 AM, Luca Toniolo wrote:
*Hi Andy,

I dug into what's actually published to answer your worry about user impact.

The lost key is the RSA 4096 one, keyid E43B5A8E78CC2927, UID "LinuxCNC Archive Signing Key". It's the key currently signing the Trixie repo (the InRelease from 27 June is signed by it), so Trixie users do already trust it. Your instinct is right: replacing it means those users have to pick up the new key.

The good news is nothing breaks immediately. The already-published Trixie Release stays verifiable with the copy of the public key users already have. The real problem is that you can't sign a new Release until we rotate, so this blocks repo updates rather than breaking anyone's existing setup.

One thing to be aware of: we can't do a painless "dual-signed" transition. Normally you'd sign the repo with both the old and new key for a while so users pick up the new one automatically, then drop the old. That needs the old private key, which is gone, and the legacy DSA1024 key can't sign Trixie because Trixie rejects DSA1024. So it has to be a clean cut, and Trixie users will need the new key once.

Suggested plan:

Generate a new RSA 4096 archive key. This time generate a revocation certificate and keep an offline backup of both the private key and the revcert. Re-sign the affected Release files with the new key and publish the new public key (keyserver plus the install script). Ship the archive key as a keyring .deb inside the repo. That way this is the last manual rotation: future key changes get delivered automatically through apt update. First adoption still needs one manual import, but only once. Announce on the forum and here with a one-line import command for existing users. The lost key can't be formally revoked since there's no revocation certificate, but that's harmless for archive signing; we just mark it retired in the announcement. Your release-tag signing key is separate and unaffected.

Cheers,
Luca

*
On 7/3/2026 9:24 AM, andy pugh wrote:
When I took over from Seb as release manager he gave me a couple of
keys, one to sign the release tags and one to sign the archives.

With the release of Trixie the requirements for archive signing keys
were made stricter, so I made a new 4096 bit key and put that on a
keyserver.

Unfortunately I have managed to lose this new private key. Assuming I
can't find a backup anywhere, what is the best way to proceed? I think
that creating a new key for Trixie will mean that Trixie users will
need to get a new key from the keyserver, but I am not 100% sure about
this. The whole gpg key / archive signing thing is a bit of a mystery
to me.

_______________________________________________
Emc-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/emc-developers
_______________________________________________
Emc-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/emc-developers

Reply via email to