[Mageia-dev] PGP keys and package signing

Olivier Thauvin nanardon at nanardon.zarb.org
Mon Jan 31 12:43:17 CET 2011

* Christophe Fergeau (cfergeau at gmail.com) wrote:
> Hey,
> 2011/1/31 nicolas vigier <boklm at mars-attacks.org>:
> >  - In case we think the packages@ key may have been compromised, or is
> >   too old, or we want to change it for any other reason, we revoke the
> >   key, and/or revoke the signature from board@ so that it is no
> >   longer accepted by urpmi. We create a new key, we sign it with
> >   the board@ key and we can start to use this new key.
> Will all existing packages be reviewed and resigned when they key is
> thought to have been compromised? What happens on user systems when
> this is done? Will they have to reinstall all packages signed with the
> new key?

Re-signing packages will not change their name-evr-arch, so on urpmi/rpm
side packages does not have to be updated. But from a user point of view
they installed packages (then checked it) before the compromission, ie
when packages were trustable.

So in case of compromission packages must be resigned but I don't think
users have to reinstall it as their content won't changes.

In the case a packages is compromised (a package with malware is
introduced on the mirror) then we'll have to provide an update with a
clean package and in this specific case users will have to update it.

> Christophe

Olivier Thauvin
♖ ♘ ♗ ♕ ♔ ♗ ♘ ♖
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/mageia-dev/attachments/20110131/4b41d3ff/attachment.asc>

More information about the Mageia-dev mailing list