Re: Remove old GPG keys?

> *nod* would you mind add clean-rpm-gpg-pubkey to Fedora? Then I can simply > call it. Here's a package review request for it: https://bugzilla.redhat.com/show_bug.cgi?id=2294337 -- Peter Oliver -- ___ devel mailing list --

Re: Remove old GPG keys?

Miroslav Suchý writes: Dne 03. 05. 21 v 17:06 Sam Varshavchik napsal(a): Yeah, so: 1) Someone has to remember to do this as part of every release 2) This doesn't do anything about add-on repositories' keys 3) I had pgp keys going all the way to F19, etc… My approach is slightly awkward

Re: Remove old GPG keys?

Dne 03. 05. 21 v 17:06 Sam Varshavchik napsal(a): Yeah, so: 1) Someone has to remember to do this as part of every release 2) This doesn't do anything about add-on repositories' keys 3) I had pgp keys going all the way to F19, etc… My approach is slightly awkward *nod* would you mind add

Re: Remove old GPG keys?

On Mon, May 03, 2021 at 11:06:44AM -0400, Sam Varshavchik wrote: > My approach is slightly awkward -- having to manually parse the conf > files and perform release and arch substitution. But it has the > advantage of pretty much figuring everything out. It also did me a > favor and found some old

Re: Remove old GPG keys?

Miroslav Suchý writes: Dne 03. 05. 21 v 0:18 Sam Varshavchik napsal(a): Yes, I'm replying to this old thread. See it in the list archives. And, since then, doesn't look much has changed. Old pgp keys are still gathering dust, in everyone's rpm databases. I had nothing else to do this lazy

Re: Remove old GPG keys?

Dne 03. 05. 21 v 0:18 Sam Varshavchik napsal(a): Yes, I'm replying to this old thread. See it in the list archives. And, since then, doesn't look much has changed. Old pgp keys are still gathering dust, in everyone's rpm databases. I had nothing else to do this lazy Sunday afternoon, so I

Re: Remove old GPG keys?

> I just stumbled upon > https://unix.stackexchange.com/questions/400634/does-anyone-bother-to-rem... > with the nice link to: > https://blog.laimbock.com/2014/05/02/how-to-remove-an-imported-gpg-key-fr... > And I wonder: is it a good idea to keep old gpg keys in RPM db? Or should we >

Re: Remove old GPG keys?

On 11/01/2017 10:37 PM, Kevin Fenzi wrote: On 11/01/2017 01:07 PM, Christopher wrote: On Wed, Nov 1, 2017 at 3:26 PM Kevin Fenzi wrote: On 10/31/2017 01:08 PM, Christopher wrote: [...] I personally don't see much advantage in expiring old keys or the like. The only attack

Re: Remove old GPG keys?

Jonny Heggheim writes: On 11/01/2017 11:51 PM, Sam Varshavchik wrote: > I don't think much of expiring either. But keys for prior releases > should simply be removed, as part of the upgrade process, or on the > first boot after a successfull upgrade. > > Now, if we go this way, we have to make

Re: Remove old GPG keys?

On 11/01/2017 11:51 PM, Sam Varshavchik wrote: > I don't think much of expiring either. But keys for prior releases > should simply be removed, as part of the upgrade process, or on the > first boot after a successfull upgrade. > > Now, if we go this way, we have to make sure we don't turn a bad

Re: Remove old GPG keys?

Kevin Fenzi writes: I personally don't see much advantage in expiring old keys or the like. The only attack vector I can see is tricking someone into installing a package from an EOL release with a known vulnerablity, but if you can do that you likely can get them to just download it and

Re: Remove old GPG keys?

On 11/01/2017 01:19 PM, Przemek Klosowski wrote: > On 11/01/2017 03:14 PM, Kevin Fenzi wrote: >> The only attack vector I can see is tricking someone into installing a >> package from an EOL release with a known vulnerablity, but if you can do >> that you likely can get them to just download it

Re: Remove old GPG keys?

On 11/01/2017 01:07 PM, Christopher wrote: > On Wed, Nov 1, 2017 at 3:26 PM Kevin Fenzi wrote: > >> On 10/31/2017 01:08 PM, Christopher wrote: >>> >>> Why wouldn't the keys have expiration dates, following best practices? An >>> expired key is a bit friendlier of a nudge off of

Re: Remove old GPG keys?

On 11/01/2017 03:14 PM, Kevin Fenzi wrote: The only attack vector I can see is tricking someone into installing a package from an EOL release with a known vulnerablity, but if you can do that you likely can get them to just download it and install it or Is it possible to compromise an old key,

Re: Remove old GPG keys?

On Wed, Nov 1, 2017 at 3:26 PM Kevin Fenzi wrote: > On 10/31/2017 01:08 PM, Christopher wrote: > > > > Why wouldn't the keys have expiration dates, following best practices? An > > expired key is a bit friendlier of a nudge off of using outdated and > > unsupported RPMs than a

Re: Remove old GPG keys?

On 10/31/2017 01:08 PM, Christopher wrote: > > Why wouldn't the keys have expiration dates, following best practices? An > expired key is a bit friendlier of a nudge off of using outdated and > unsupported RPMs than a revoked key, which indicates a potential > compromise. I would expect any GPG

Re: Remove old GPG keys?

On 10/31/2017 04:15 PM, Sam Varshavchik wrote: > David Cantrell writes: > >> I don't really consider this a thing about saving space or making the >> output of 'rpm -qa' look nicer or something, but rather being good users >> of GPG.  If we create and then phase out signing keys, then part of our

Re: Remove old GPG keys?

On 10/31/2017 04:08 PM, Christopher wrote: > On Tue, Oct 31, 2017 at 3:06 PM David Cantrell > wrote: > > On 10/31/2017 11:32 AM, R P Herrold wrote: > > On Tue, 31 Oct 2017, David Cantrell wrote: > > > >>> # rpm -qa gpg-pubkey

Re: Remove old GPG keys?

On Tue, 31 Oct 2017, David Cantrell wrote: > I don't really consider this a thing about saving space or making the > output of 'rpm -qa' look nicer or something, but rather being good users > of GPG. As noted but not addressed, which keys actually have been signed at GnuPG key-signing WoT

Re: Remove old GPG keys?

David Cantrell writes: I don't really consider this a thing about saving space or making the output of 'rpm -qa' look nicer or something, but rather being good users of GPG. If we create and then phase out signing keys, then part of our process should also involve sending revocations for the

Re: Remove old GPG keys?

On Tue, Oct 31, 2017 at 3:06 PM David Cantrell wrote: > On 10/31/2017 11:32 AM, R P Herrold wrote: > > On Tue, 31 Oct 2017, David Cantrell wrote: > > > >>> # rpm -qa gpg-pubkey --qf "%{version}-%{release} %{summary}\n"|wc -l > >>> 64 > >> > >> Do we issue revocations for

Re: Remove old GPG keys?

On 10/31/2017 11:32 AM, R P Herrold wrote: > On Tue, 31 Oct 2017, David Cantrell wrote: > >>> # rpm -qa gpg-pubkey --qf "%{version}-%{release} %{summary}\n"|wc -l >>> 64 >> >> Do we issue revocations for old keys? If not, let's do that and extend >> dnf to honor those and clean up? > > What is

Re: Remove old GPG keys?

On 31/10/17 18:46, Simo Sorce wrote: > On Tue, 2017-10-31 at 17:34 +0200, Panu Matilainen wrote: >> On 10/31/2017 04:57 PM, Stephen Gallagher wrote: [...snip...] >>> Correct me if I'm wrong, but we only check keys at installation >>> time, so  >>> they'd be able to continue running just fine, but

Re: Remove old GPG keys?

On Tue, 2017-10-31 at 17:34 +0200, Panu Matilainen wrote: > On 10/31/2017 04:57 PM, Stephen Gallagher wrote: > > > > > > On Tue, Oct 31, 2017 at 10:49 AM Michael Cronenworth > om  > > > wrote: > > > > On 10/31/2017 03:52 AM, Miroslav Suchý wrote: > >

Re: Remove old GPG keys?

On 10/31/2017 04:57 PM, Stephen Gallagher wrote: On Tue, Oct 31, 2017 at 10:49 AM Michael Cronenworth > wrote: On 10/31/2017 03:52 AM, Miroslav Suchý wrote: > And I wonder: is it a good idea to keep old gpg keys in RPM db? Or should we

Re: Remove old GPG keys?

On Tue, 31 Oct 2017, David Cantrell wrote: > > # rpm -qa gpg-pubkey --qf "%{version}-%{release} %{summary}\n"|wc -l > > 64 > > Do we issue revocations for old keys? If not, let's do that and extend > dnf to honor those and clean up? What is the 'use case' for potentially preventing

Re: Remove old GPG keys?

On Tue, Oct 31, 2017 at 10:49 AM Michael Cronenworth wrote: > On 10/31/2017 03:52 AM, Miroslav Suchý wrote: > > And I wonder: is it a good idea to keep old gpg keys in RPM db? Or > should we automate the removal of old keys? > > I'd be all for cleaning up old keys. > > However,

Re: Remove old GPG keys?

On 10/31/2017 03:52 AM, Miroslav Suchý wrote: And I wonder: is it a good idea to keep old gpg keys in RPM db? Or should we automate the removal of old keys? I'd be all for cleaning up old keys. However, I would be cautious to not delete keys that are still in use. Example: User has Fedora

Re: Remove old GPG keys?

On 10/31/2017 10:15 AM, Roberto Ragusa wrote: > On 10/31/2017 09:52 AM, Miroslav Suchý wrote: >> I just stumbled upon >> >> https://unix.stackexchange.com/questions/400634/does-anyone-bother-to-remove-rpmkeys >> with the nice link to: >> >>

Re: Remove old GPG keys?

On 10/31/2017 09:52 AM, Miroslav Suchý wrote: > I just stumbled upon > > https://unix.stackexchange.com/questions/400634/does-anyone-bother-to-remove-rpmkeys > with the nice link to: > > https://blog.laimbock.com/2014/05/02/how-to-remove-an-imported-gpg-key-from-rpm/ > And I wonder: is it a

Remove old GPG keys?

I just stumbled upon https://unix.stackexchange.com/questions/400634/does-anyone-bother-to-remove-rpmkeys with the nice link to: https://blog.laimbock.com/2014/05/02/how-to-remove-an-imported-gpg-key-from-rpm/ And I wonder: is it a good idea to keep old gpg keys in RPM db? Or should we