Debian 11 seems to still point at 2.9.9
Fetched 402 MB in 3s (158 MB/s)
E: Failed to fetch
https://www.linuxcnc.org/dists/bullseye/2.9-uspace/binary-amd64/linuxcnc-uspace_2.9.9_amd64.deb
404 Not Found [IP: 69.163.143.134 443]
This is from my linuxcnc-ethercat CI building for Debian 11, I set it up
to get from the the linuxcnc repo, seems broken...
On 7/3/2026 9:56 AM, Luca Toniolo wrote:
*Hi Andy,
I dug into what's actually published to answer your worry about user
impact.
The lost key is the RSA 4096 one, keyid E43B5A8E78CC2927, UID
"LinuxCNC Archive Signing Key". It's the key currently signing the
Trixie repo (the InRelease from 27 June is signed by it), so Trixie
users do already trust it. Your instinct is right: replacing it means
those users have to pick up the new key.
The good news is nothing breaks immediately. The already-published
Trixie Release stays verifiable with the copy of the public key users
already have. The real problem is that you can't sign a new Release
until we rotate, so this blocks repo updates rather than breaking
anyone's existing setup.
One thing to be aware of: we can't do a painless "dual-signed"
transition. Normally you'd sign the repo with both the old and new key
for a while so users pick up the new one automatically, then drop the
old. That needs the old private key, which is gone, and the legacy
DSA1024 key can't sign Trixie because Trixie rejects DSA1024. So it
has to be a clean cut, and Trixie users will need the new key once.
Suggested plan:
Generate a new RSA 4096 archive key. This time generate a revocation
certificate and keep an offline backup of both the private key and the
revcert.
Re-sign the affected Release files with the new key and publish the
new public key (keyserver plus the install script).
Ship the archive key as a keyring .deb inside the repo. That way this
is the last manual rotation: future key changes get delivered
automatically through apt update. First adoption still needs one
manual import, but only once.
Announce on the forum and here with a one-line import command for
existing users.
The lost key can't be formally revoked since there's no revocation
certificate, but that's harmless for archive signing; we just mark it
retired in the announcement. Your release-tag signing key is separate
and unaffected.
Cheers,
Luca
*
On 7/3/2026 9:24 AM, andy pugh wrote:
When I took over from Seb as release manager he gave me a couple of
keys, one to sign the release tags and one to sign the archives.
With the release of Trixie the requirements for archive signing keys
were made stricter, so I made a new 4096 bit key and put that on a
keyserver.
Unfortunately I have managed to lose this new private key. Assuming I
can't find a backup anywhere, what is the best way to proceed? I think
that creating a new key for Trixie will mean that Trixie users will
need to get a new key from the keyserver, but I am not 100% sure about
this. The whole gpg key / archive signing thing is a bit of a mystery
to me.
_______________________________________________
Emc-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/emc-developers
_______________________________________________
Emc-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/emc-developers