On Tue, 31 Oct 2017, David Cantrell wrote:
I don't really consider this a thing about saving space or making
the
output of 'rpm -qa' look nicer or something, but rather being good users
of GPG.
As noted but not addressed, which keys actually have been
signed at GnuPG key-signing WoT 'parties? Which are presently
on the public key-server constellation?
The answer:
Of the 38 keys on:
https://getfedora.org/keys/ and
https://getfedora.org/keys/obsolete.html
ZERO are -- one (0xF5282EE4) seems to be a collision artifact
[1]
If we create and then phase out signing keys, then part of
our process should also involve sending revocations for the
old keys.
but the ** private keys ** were never released or public
anyway ... Revoking a ** public key ** (which is the keys in
the RPM db in discussion) is useless as all it permitted doing
was (and is) verifying that a proper private key existed at a
place and point in time to sign that package. It is EPEL (thus
at least one part of fedora) practice to do so already
And that process could be automated by a dnf plugin too.
Leaving old keys around on the system for verification
purposes presents a risk should the old key become
compromised.
so shred the HSM holding the private key ...
This thread is time wasting and posturing
-- Russ herrold
1. the audit script is at:
http://gallery.herrold.com/stuff/harvest-keys.sh