Skip to content

rotate pgp keys on internal repository (or rebuild from scratch)

in recent (Debian 13 / trixie) APT releases, our repository is yielding a warning that it will be unsupported in a year:

Warning: https://deb.torproject.org/torproject.org/dists/bookworm/InRelease: Policy will reject signature within a year, see --audit for details

It looks like there's something wrong with our PGP key, according to the --audit:

> sudo apt -U full-upgrade --audit
Hit:1 http://security.debian.org/debian-security trixie-security InRelease
Hit:2 https://deb.debian.org/debian trixie InRelease                                                                     
Hit:3 https://deb.debian.org/debian-debug trixie-debug InRelease                                                         
Hit:4 https://deb.debian.org/debian bookworm InRelease                                                                 
Hit:5 https://deb.debian.org/debian-security bookworm-security InRelease                                               
Hit:6 https://deb.debian.org/debian experimental InRelease                                                             
Hit:7 https://deb.debian.org/debian sid InRelease                                                                      
Hit:8 https://deb.grml.org grml-stable InRelease                                                
Hit:9 https://deb.torproject.org/torproject.org bookworm InRelease
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
Upgrading:                      
  chromium  chromium-common  chromium-sandbox

Installing dependencies:
  libdav1d6  libflac12  libopenh264-7

Summary:
  Upgrading: 3, Installing: 3, Removing: 0, Not Upgrading: 0
  Download size: 22.4 MB / 101 MB
  Space needed: 6975 kB / 20.2 GB available

Warning: https://deb.torproject.org/torproject.org/dists/bookworm/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://deb.torproject.org/torproject.org/dists/bookworm/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 is not bound:
              Policy rejected non-revocation signature (PrimaryKeyBinding) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

i'm not sure what the best way to fix this is: we could rotate the PGP key, but considering we only have a couple of packages there, i wonder if it might not be best to just retire this repository altogether:

root@alberti:/srv/db.torproject.org/ftp-archive/archive# find -name '*deb'
./pool/trixie/userdir-ldap_0.3.110~tpo1_all.deb
./pool/bookworm/userdir-ldap_0.3.110~tpo1_all.deb
./pool/tpo-all/userdir-ldap_0.3.104~tpo4_all.deb
./pool/tpo-all/userdir-ldap-cgi_0.3.43~x.tpo.13_all.deb
./pool/tpo-all/tor-nagios-checks_39_all.deb

essentially, we have ud-ldap (which we're likely going to retire thanks to #41839) and tor-nagios-checks (which is deployed only on a couple of hosts, also scheduled for retirement, #41671)...

we do sometimes use the repository for one-off backports though, so maybe it's worth keeping one in the long term, in which case we should rebuild this in a clean VM, with reprepro (or whatever), fully puppetized.

@zen, what's our plan for debian repositories again?

Edited by Jérôme Charaoui
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information