Transition to a new deb.tails.boum.org archive signing key (2021-2022 edition)
This is about 221F9A3C6FA3E09E182E060BC7988EA7A358D82E. It'll be 10 years old in February 2022 so I think we should transition to a brand new key pair.
Migration plan
Prepare by the end of 2021Q4
-
Hard-code current (old) signing key in reprepro config with SignWith
- This ensures that in reprepro the current (old) key is used even if a newer one is available.
- reprepro instances:
-
deb.tbo -
time-based snapshots -
tagged snapshots
-
-
Generate a new key pair, add to the tails_secrets_apt
module -
Deploy the new key pair to our reprepro instances -
deb.tbo -
time-based snapshots
-
-
Add the new key to our infra's trusted APT keys -
Test that Stretch's APT supports an APT repo signed with an ed25519 key -
Re-enable Puppet on apt.lizard
-
Re-enable Puppet on bridge.lizard
-
-
Add the new public key to Tails' trusted APT keys (tails!682 (merged)) -
Release a new Tails with the aforementioned changes - Done in 4.25 (2021-12-07)
Wait 3+ months
2021-12-07 + 3 months = 2022-03-07
Switch to the new key pair
-
Start signing with the new key - Switch
SignWith
to the new key-
deb.tbo: manifests/reprepro/params.pp
-
time-based snapshots: manifests/reprepro/params.pp
-
tagged snapshots: files/reprepro/snapshots/tagged/tails-prepare-tagged-apt-snapshot-import
-
- Switch
-
Distrust the old key -
Adjust downstream repos' VerifyRelease
setting to now only trust the new key-
time-based snapshots -
tagged snapshots
-
-
Remove the old key from Tails' trusted keys: tails!788 (merged)
-
-
Clean up - remove all traces of the old key pair
Documentation
Edited by intrigeri