Skip to content

feat(debian): use explicit, stronger defaults for newly generated repo signing keys#36236

Merged
wxiaoguang merged 5 commits intogo-gitea:mainfrom
0xMax42:feature/improve-debian-registry-key-generation
Jan 1, 2026
Merged

feat(debian): use explicit, stronger defaults for newly generated repo signing keys#36236
wxiaoguang merged 5 commits intogo-gitea:mainfrom
0xMax42:feature/improve-debian-registry-key-generation

Conversation

@0xMax42
Copy link
Copy Markdown
Contributor

@0xMax42 0xMax42 commented Dec 23, 2025
edited by wxiaoguang
Loading

This PR updates Debian repository signing key generation to use explicit, stronger defaults and to embed the creation time in the OpenPGP comment for newly created keys.

Rationale

Repository signing keys are typically long-lived. Since there is currently no built-in key rotation mechanism, the initial key parameters effectively persist for years.
At the moment, those parameters are implicitly derived from OpenPGP library defaults, which makes the effective crypto policy indirect and potentially subject to upstream library changes.

This change makes the defaults explicit and slightly more future-proof, without affecting existing repositories.

Changes

For newly generated Debian repository keys only:

  • Add a UTC creation timestamp to the key comment

  • Generate keys with an explicit packet.Config:

    • RSA 4096-bit primary key and encryption subkey
    • SHA-256 as default hash
    • AES-256 as default cipher

Compatibility

  • Existing repository keys stored in the database are not modified
  • Only newly created keys are affected
  • RSA-based keys remain fully compatible with APT and GnuPG
  • No changes to signing logic or repository metadata formats

Verification

The change was verified by generating a fresh keypair and validating InRelease signatures via gpg --verify.
Repositories using existing keys continue to work unchanged.

The diff is intentionally small and isolated to key generation only.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 23, 2025
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Dec 23, 2025
@0xMax42 0xMax42 force-pushed the feature/improve-debian-registry-key-generation branch from d5d5c42 to 9938866 Compare December 23, 2025 18:42
delvh
delvh approved these changes Dec 24, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@delvh delvh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if renaming a user does not break anything.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 24, 2025
@0xMax42
refactor: remove username from keypair generation
ded26da 
The username can be renamed, which means that the key can no longer be assigned to the user.
@delvh

This comment was marked as off-topic.

Sign in to view
@0xMax42
Copy link
Copy Markdown
Contributor Author

0xMax42 commented Dec 24, 2025

Should I adjust the PR text above?

If I remember correctly, the title and the first line of the text will be included in a possible merge, correct?

@delvh
Copy link
Copy Markdown
Member

delvh commented Dec 24, 2025

Should I adjust the PR text above?

Yes, if you'd like to that would be very welcome.

If I remember correctly, the title and the first line of the text will be included in a possible merge, correct?

Exactly, except it's the PR title + entire description.

wxiaoguang
wxiaoguang reviewed Jan 1, 2026
View reviewed changes
@wxiaoguang
Update services/packages/debian/repository.go
abaaa09 
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 1, 2026
@wxiaoguang wxiaoguang enabled auto-merge (squash) January 1, 2026 02:08
@wxiaoguang wxiaoguang merged commit 91d8716 into go-gitea:main Jan 1, 2026
24 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Jan 1, 2026
zjjhot added a commit to zjjhot/gitea that referenced this pull request Jan 5, 2026
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
d228c9a 
* giteaofficial/main:
  Move assign project when creating pull request to the same database transaction (go-gitea#36244)
  [skip ci] Updated translations via Crowdin
  Fix stats bug when syncing release (go-gitea#36285)
  Fix link/origin referrer and login redirect (go-gitea#36279)
  Always honor user's choice for "delete branch after merge" (go-gitea#36281)
  refactor(pprof): use explicit mux instead of DefaultServeMux (go-gitea#36276)
  improve the compare page (go-gitea#36261)
  mailer: pass request context to generateAdditionalHeadersForIssue (go-gitea#36274)
  feat(debian): use explicit, stronger defaults for newly generated repo signing keys (go-gitea#36236)
  Make "commit statuses" API accept slashes in "ref" (go-gitea#36264)

# Conflicts:
#	templates/base/footer_content.tmpl
#	templates/base/head_navbar.tmpl
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang approved these changes

@delvh delvh delvh approved these changes

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@0xMax42 @delvh @wxiaoguang @GiteaBot