On 31/10/17 18:46, Simo Sorce wrote:
On Tue, 2017-10-31 at 17:34 +0200, Panu Matilainen wrote:
> On 10/31/2017 04:57 PM, Stephen Gallagher wrote:
[...snip...]
>> Correct me if I'm wrong, but we only check keys at
installation
>> time, so
>> they'd be able to continue running just fine, but they'd be denied
>> if
>> they tried to reinstall it after F21 is EOL. Which seems perfectly
>> reasonable to me; if you're using an EOL operating system, forcing
>> people to have to pass --no-gpgcheck is a great way to get them to
>> pause
>> and reconsider their situation.
>
> Actually rpm by default checks signatures on queries and
> verification
> too, so there is some value in keeping the keys there, at least for
> keys
> that are actually in use.
>
Is it possible to mark keys so they can be used for verification but
not for installation of new packages ?
Can't key revocation status be used for this? IIRC, it is possible to
verify existing signatures with revoked keys, so yum/dnf just need
reject doing verification during install if the key is revoked.
My personal worry is that old keys may get compromised over time, so
it
is a very good practice to regularly "disable" old keys.
+1
--
kind regards,
David Sommerseth