From 91d871611e6bb9f700cc7c4426411ba07d30a0a5 Mon Sep 17 00:00:00 2001
From: "Max P." <46793832+0xMax42@users.noreply.github.com>
Date: Thu, 1 Jan 2026 03:36:14 +0100
Subject: [PATCH] feat(debian): use explicit, stronger defaults for newly
 generated repo signing keys (#36236)

Make Debian repository signing key generation use explicit stronger defaults
and embed the creation time in the OpenPGP comment for newly created keys.

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
---
 services/packages/debian/repository.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/services/packages/debian/repository.go b/services/packages/debian/repository.go
index 34b52b45cf..910f93b034 100644
--- a/services/packages/debian/repository.go
+++ b/services/packages/debian/repository.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
+	"crypto"
 	"errors"
 	"fmt"
 	"io"
@@ -67,7 +68,14 @@ func GetOrCreateKeyPair(ctx context.Context, ownerID int64) (string, string, err
 }
 
 func generateKeypair() (string, string, error) {
-	e, err := openpgp.NewEntity("", "Debian Registry", "", nil)
+	// Repository signing keys are long-lived and there is currently no rotation mechanism, choose stronger algorithms
+	cfg := &packet.Config{
+		RSABits:       4096,
+		DefaultHash:   crypto.SHA256,
+		DefaultCipher: packet.CipherAES256,
+	}
+
+	e, err := openpgp.NewEntity("", "Automatically generated Debian Registry Key; created "+time.Now().UTC().Format(time.RFC3339), "", cfg)
 	if err != nil {
 		return "", "", err
 	}