Transition to a new deb.tails.boum.org archive signing key (2021-2022 edition)

This is about 221F9A3C6FA3E09E182E060BC7988EA7A358D82E. It'll be 10 years old in February 2022 so I think we should transition to a brand new key pair.

Migration plan

Prepare by the end of 2021Q4

1. Hard-code current (old) signing key in reprepro config with SignWith
   • This ensures that in reprepro the current (old) key is used even if a newer one is available.
   • reprepro instances:
     • deb.tbo
     • time-based snapshots
     • tagged snapshots
2. Generate a new key pair, add to the tails_secrets_apt module
3. Deploy the new key pair to our reprepro instances
   • deb.tbo
   • time-based snapshots
4. Add the new key to our infra's trusted APT keys
5. Test that Stretch's APT supports an APT repo signed with an ed25519 key
   • Re-enable Puppet on apt.lizard
   • Re-enable Puppet on bridge.lizard
6. Add the new public key to Tails' trusted APT keys (tails!682 (merged))
7. Release a new Tails with the aforementioned changes
   • Done in 4.25 (2021-12-07)

Wait 3+ months

2021-12-07 + 3 months = 2022-03-07

Switch to the new key pair

1. Start signing with the new key
   • Switch SignWith to the new key
     • deb.tbo: manifests/reprepro/params.pp
     • time-based snapshots: manifests/reprepro/params.pp
     • tagged snapshots: files/reprepro/snapshots/tagged/tails-prepare-tagged-apt-snapshot-import
2. Distrust the old key
   • Adjust downstream repos' VerifyRelease setting to now only trust the new key
     • time-based snapshots
     • tagged snapshots
   • Remove the old key from Tails' trusted keys: tails!788 (merged)
3. Clean up
   • remove all traces of the old key pair

Documentation

• http://mirror.physics.ox.ac.uk/ubuntu/oxford-local-testing/reprepro/docs/manual.html#signing
• https://manpages.debian.org/buster/reprepro/reprepro.1.en.html
• https://tails.boum.org/contribute/APT_repository/