GPG key used to sign debian repository changed #209

stbuehler · 2020-01-18T09:36:55Z

A key rollover should be documented, and I can't find any note regarding it. Also please don't create a new key every month:

Old key:

pub   rsa4096 2019-11-22 [SCEA] [expires: 2024-11-20]
      CC160DF5CEF1B148857EBA29F9CC653EBE9CF76D
uid           Amazon Services LLC (Amazon Corretto release) <corretto-team@amazon.com>

New key (downloaded from https://apt.corretto.aws/corretto.key):

pub   rsa4096 2019-12-05 [SCEA] [expires: 2024-12-03]
      6DC3636DAE534049C8B94623A122542AB04F24E3
uid           Amazon Services LLC (Amazon Corretto release) <corretto-team@amazon.com>

I'm pretty sure I observed the old key "Dec 21" (not quite sure how long apt has been complaining).

The text was updated successfully, but these errors were encountered:

cliveverghese · 2020-01-21T01:23:09Z

hi @stbuehler

Both the keys are owned by us and safe to use. The key currently in place is what we will keep signing future releases with (i.e. 6DC3636DAE534049C8B94623A122542AB04F24E3) although we previously released our apt-repos signed with our pre-release key (i.e. key id: CC160DF5CEF1B148857EBA29F9CC653EBE9CF76D ). We will update our change log to make this clear. Thanks for pointing it out.

stbuehler · 2020-01-21T06:18:47Z

Thanks for the clarification!

cliveverghese closed this as completed Jan 21, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GPG key used to sign debian repository changed #209

GPG key used to sign debian repository changed #209

stbuehler commented Jan 18, 2020

cliveverghese commented Jan 21, 2020

stbuehler commented Jan 21, 2020

GPG key used to sign debian repository changed #209

GPG key used to sign debian repository changed #209

Comments

stbuehler commented Jan 18, 2020

cliveverghese commented Jan 21, 2020

stbuehler commented Jan 21, 2020