1. Home
  2. Categories
  3. Support
  4. Custom signing keys for a linux feed and an API to swap them out?

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Custom signing keys for a linux feed and an API to swap them out?

  • F

    Dear Support,

    we are having our feeds for debian configured and they are running fine, but we are thinking about a possibility to be able to swap the automatically generated key.

    In the admin settings we could not find a way to swap the key used for the repo and signing the packages to a custom one.

    Does such an option exist?

    Is there maybe an API to swap a signing key for a feed / repo, which can be used by CI/CD?

    Many thanks!
    Frank

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @frei_zs,

    This is not supported; is there a reason that you'd want to do that?

    My understanding is that signing keys are an outdated/vestigial concept that only makes sense if you're not using SSL/HTTPS.

    Thanks,
    Alana

    0
  • F

    Hey Alana,

    thank you for the reply.

    Our security team is asking to be able to revoke public keys and swap them out as a preventive action or in case of bad things that might happen.

    While you are right, that SSL/HTTPS does secure the connection to a server, I haven't heard of signing repos is deprecated.

    It ensures (besides the SSL/HTTPS) that the packages downloaded are eligible and verified for installation from the configured repo.

    If this is not supported, then that's the way it is, although being able to upload a custom signing key would be a great feature. ;)

    Have a great day,
    Frank

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @frei_zs ,

    I'm not really sure how signing keys work to be honest, but they seem to be really just used for the InRelease index?

    Anyway, it was trivial to add a button to Delete the existing signing key. When you click that button, it will then show a page that allows you to Create a signing key:

    586b22a9-9ebf-4271-a5be-b385a043ba9a-image.png

    So we'll get that in via PG-2807 in the next maintenance release (shipping on Friday).

    As far as uploading a custom key, doing via API, etc., that's not trivial... but I'm thinking this will cover your bases. I can't imagine you are swapping these out often (or ever).

    Thanks,
    Alana

    0
  • F

    Hey Alana,

    sorry for the late response!

    And thank you for the update. You are totally right, this will not happen often, even rare, so I think we can work with this solution. :)

    Have a great day,
    Frank

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation