Axel Thimm wrote:
Either the key is considered compromized and one needs to do the full
program, or it is reasonably considered safe (by a brute-force safe
passphrase and really assuming the passphrase has not been lost to the
intruder as well), in which case no steps are needed, but phasing it
out before the computing power gets accessible to break it (e.g. new
keys for F10 upwards).
The current program looks like a mix of assuming "safe" (so the old
key can be used for signing new packages, even if it just a few) and
assuming "compromised" needing a resiging of all content.
It turns out that we're ahead of schedule in re-signing. Due to bodhi
limitations we needed to resign all updates before pushing any new
updates, and that is done now. I have to check with Jesse but I suspect
resigning of Everything should be done early during this upcoming week.
(It might even be close to done now, I dunno.)
The re-signing of Everything however is not blocking implementation of
the first stages of the plan - which includes updates going out.
Anyhow, updates should begin flowing soon, and shortly thereafter the
old key is removed. Oh, did you actually test rpm -e during %post?
According to skvidal it doesn't work because it locks the transaction.
Jeremy thinks the only assured way we can remove the old key is with a
hardcoded hack in rpm that will be removed in F10 rpm.