We've generated a new Ubuntu archive signing key (4096R/3B4FE6ACC0B21F32) and would like to start using it, via a transition period in which new distroseries are signed by both keys for a while. This is going to require some Launchpad code and configuration changes.
As preparatory work, I've set default_key in /srv/launchpad.net/ubuntu-archive/gnupg-home/gpg.conf, allowing us to have both old and new keys in the keyring there without having to rely on whatever GPG does by default if there are multiple secret keys available with no default_key; and I've imported the new public/secret key into that keyring. (I've tested that --sign without -u KEYID still signs with the old key, 1024D/40976EAF437D05B5.)
Following this, though, we need some way to start selectively using the new key. The way this is done should obey the following properties:
* Subject to testing, it should be possible to sign Ubuntu <= precise with both old and new keys.
* After a transition period, we should start signing Ubuntu >= quantal with only the new key.
* Key IDs must not be hardcoded in Launchpad code and I think probably ought not to live in the database either, since that would break the dogfood publisher which does not (and must not) have access to the production signing keys. It should be possible to change the signing key used for a given distroseries range independently for production and dogfood.
* Ideally, the scheme we come up with should allow us to switch to new signing keys more frequently in future without having to think about it quite so hard.
I'd welcome comments on possible approaches. My best idea so far is to add key IDs to the archivepublisher config, but I'm not sure how to deal with the per-distroseries(-range) bit in an elegant way.
No LP code should be harmed in the making of this feature. Here's what we should do:
- ftpmaster-
reconfigure to use a new location and copy the existing scripts there
- edit publish-
When happy, remove the ubuntu-specific stuff from the LP tree.
Profit!