Learn more about these different git repos.
Other Git URLs
Each major version of EPEL has its own package signing key. Soon we'll begin work on EPEL 10, so we'll need a new key for it.
Ideally by 2023-12-01, or as soon as possible after that.
The EPEL 10 retirement date of 2035-05-31.
It would prevent us from having signed packages in EPEL 10.
Do we want to rotate the key for every minor version like we do for every Fedora release?
What would be the justification for doing so? The current strategy of a new key for each major version of EPEL seems to be working well to me. From what I've seen in the configuration for various tools, it would be straightforward to use the same major version key for each minor version of EPEL 10. Rotating the key with each minor version would require enterprise users to accept a new key every six months.
Metadata Update from @phsmoura: - Issue tagged with: low-gain, low-trouble, ops
None really, I just asked because of potential re-use with Fedora SOP and this is one of those early decisions that need to be made before we do anything that's hard to back out later. I'm fine with "key per major" continuing with EPEL 10.
@humaton you were going to do this?
Please let me know if you run into any problems and please make me an admin on it. ;)
Metadata Update from @kevin: - Issue assigned to humaton
here are both keys:
https://humaton.fedorapeople.org/epel/
I am not sure where they should live? epel-release package? on the main branch or were?
Initially, they should be added to distribution-gpg-keys and https://fedoraproject.org/security
distribution-gpg-keys
There are a few differences with this key compared to the EPEL 9 key.
-RPM-GPG-KEY-EPEL-9 +RPM-GPG-KEY-epel-10
-Fedora +EPEL
-epel9 +10
-epel@fedoraproject.org +epel-10@fedoraproject.org
Should we keep those fields consistent with the previous key?
The filename and the email address should rename consistent with previous keys. Otherwise certain formulaic expectations will break.
Name-Real should be Fedora EPEL (or if not, Name-Real and Name-Comment should revert back to the previous form).
Name-Real
Fedora EPEL
Name-Comment
I also wanted to ask if we actually need the RPM-GPG-KEY-epel-10-ima key. I've heard of IMA signatures, but I'm not sure how that relates to the package signing key. RHEL 9 has IMA signatures, but doesn't ship a separate GPG key for it in redhat-release. Fedora 38 and 39 have IMA keys in fedora-gpg-keys, in several formats (.cert, .der, and .pem).
.cert
.der
.pem
IMHO we should do IMA signing for epel10 at least, we are reworking the sigul part of this right now, and we can discuss more once thats done. I'm sure it will require some enrollment, but it might be quite nice to have epel packages covered by ima signatures.
Sorry about the mess with naming. I have recreated the GPG key because sigul was segfaulting on me while changing it. IMA key is the same just renamed.
This key looks good to me:
[root@f887fce26b82 /]# sq inspect RPM-GPG-KEY-EPEL-10 RPM-GPG-KEY-EPEL-10: OpenPGP Certificate. Fingerprint: 7D8D15CBFC4E62688591FB2633D98517E37ED158 Public-key algo: RSA Public-key size: 4096 bits Creation time: 2023-12-12 13:27:05 UTC Key flags: certification, signing, transport encryption, data-at-rest encryption UserID: Fedora (epel10) <epel@fedoraproject.org>
The keys are created and people have access to them, once epel-release-10 gets created we can add it there.
Metadata Update from @humaton: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.