Foreman » Packaging

Debian issues a new GPG key per release and signs each release's Release file with the release it's for and the keys of the previous release (so Wheezy's is signed by the Wheezy and Squeeze keys, Jessie by Jessie and Wheezy).

Freight seems more limited as it only uses a single GPG key for signing the archive. Ideally we'd generate a new key now and have a period of 3-4 months (including a new stable release) with them both signing the archive until the old one expires and we remove it.

It seems like we'd have to do a hard switch over, or patch Freight. (I think I'll probably work on the latter, it looks trivial - though the patch won't be accepted at the moment as it's unmaintained.)

https://github.com/rcrowley/freight/pull/69 adds support for signing with multiple GPG keys.

starting with apt 1.2.7:

W: gpgv:/var/lib/apt/lists/deb.theforeman.org_dists_jessie_Release.gpg: The repository is insufficiently signed by key 7059542D5AEA367F78732D02B3484CB71AA043B8 (weak digest)
W: gpgv:/var/lib/apt/lists/deb.theforeman.org_dists_plugins_Release.gpg: The repository is insufficiently signed by key 7059542D5AEA367F78732D02B3484CB71AA043B8 (weak digest)

The Debian recommended gpg settings for generating a new key would be:

# Prioritize stronger algorithms for new keys.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
# Use a stronger digest than the default SHA1 for certifications.
cert-digest-algo SHA512

and to use SHA512 per default for signing:

personal-digest-preferences SHA512