Ticket #249 (closed defect: fixed)

Opened 15 years ago

Last modified 14 years ago

Update Debathena signing key away from 1024-bit DSA

Reported by: broder Owned by: broder
Priority: normal Milestone: Karmic Deploy (Canceled)
Component: development Keywords:
Cc: Fixed in version:
Upstream bug:

Description

The primary Debathena archive signing key is 1024-bit DSA. According to  http://www.debian-administration.org/users/dkg/weblog/48, that means that signatures are being created with SHA-1. Since SHA-1 seems likely to be pretty thoroughly compromised within the next year, we should go ahead and start the process of switching to a stronger key soon.

Change History

comment:1 Changed 15 years ago by broder

  • Status changed from new to proposed

I've just generated a new 4096-bit RSA key to use as the signing key. The key ID is 0D8A9E8F. It's been uploaded to subkeys.pgp.net, pgp.mit.edu, and keyserver.ubuntu.com. It's so far been signed by the old Debathena key, as well as my own key (30CB1B11). I'll be asking other people to sign it tonight before the SIPB meeting.

I've also just uploaded a new debathena-archive-keyring package to -proposed with this key. I'll plan to move it to production on Wednesday.

I've also updated http://debathena.mit.edu/apt/debathena-archive{-keyring,}.asc.

We should settle on a time to transition to the new key. I think that 3 months is a reasonable period of time, so I'll recommend that we do the changeover on September 1.

comment:2 Changed 15 years ago by broder

  • Status changed from proposed to accepted
  • Owner set to broder

I'm leaving this ticket open until we actually switch to signing with the new key, but the new keyring is now in production.

comment:3 Changed 15 years ago by geofft

  • Milestone changed from Fall Release to IAP 2010

The date of September 1 in this ticket is past the date of August 21 for its milestone, so I'm adjusting the latter. (In the absence of news about SHA-1's sooner-than-expected demise, we can continue to use the first key for some time.)

comment:4 Changed 14 years ago by broder

  • Status changed from accepted to closed
  • Resolution set to fixed

This transition has finally been completed. Everything should be getting signed by the new key, the old key has been revoked, all of the keyrings that we distribute now only contain the new Debathena key (and no others), and debathena-archive-keyring will remove the keys we're no longer using from users' keyrings.

Note: See TracTickets for help on using tickets.