gitcaddy/gitea
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

feat(debian): use explicit, stronger defaults for newly generated repo signing keys (#36236)

Browse Source 
Make Debian repository signing key generation use explicit stronger defaults
and embed the creation time in the OpenPGP comment for newly created keys.

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Max P. 2026-01-01 03:36:14 +01:00 committed by GitHub
parent 094104bc91
commit 91d871611e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
services/packages/debian/repository.go
View File

@ -7,6 +7,7 @@ import (
"bytes" "bytes"
"compress/gzip" "compress/gzip"
"context" "context"
"crypto"
"errors" "errors"
"fmt" "fmt"
"io" "io"
@ -67,7 +68,14 @@ func GetOrCreateKeyPair(ctx context.Context, ownerID int64) (string, string, err
} }
func generateKeypair() (string, string, error) { func generateKeypair() (string, string, error) {
e, err := openpgp.NewEntity("", "Debian Registry", "", nil) // Repository signing keys are long-lived and there is currently no rotation mechanism, choose stronger algorithms
cfg := &packet.Config{
RSABits: 4096,
DefaultHash: crypto.SHA256,
DefaultCipher: packet.CipherAES256,
}
e, err := openpgp.NewEntity("", "Automatically generated Debian Registry Key; created "+time.Now().UTC().Format(time.RFC3339), "", cfg)
if err != nil { if err != nil {
return "", "", err return "", "", err
} }