feat(debian): use explicit, stronger defaults for newly generated repo signing keys (#36236)

Make Debian repository signing key generation use explicit stronger defaults and embed the creation time in the OpenPGP comment for newly created keys. --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-01-01 03:36:14 +01:00 · 2026-01-01 03:36:14 +01:00 · 91d871611e
commit 91d871611e
parent 094104bc91
1 changed files with 9 additions and 1 deletions
--- a/services/packages/debian/repository.go
+++ b/services/packages/debian/repository.go
@ -7,6 +7,7 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
+	"crypto"
 	"errors"
 	"fmt"
 	"io"
@ -67,7 +68,14 @@ func GetOrCreateKeyPair(ctx context.Context, ownerID int64) (string, string, err
 }

 func generateKeypair() (string, string, error) {
-	e, err := openpgp.NewEntity("", "Debian Registry", "", nil)
+	// Repository signing keys are long-lived and there is currently no rotation mechanism, choose stronger algorithms
+	cfg := &packet.Config{
+		RSABits:       4096,
+		DefaultHash:   crypto.SHA256,
+		DefaultCipher: packet.CipherAES256,
+	}
+
+	e, err := openpgp.NewEntity("", "Automatically generated Debian Registry Key; created "+time.Now().UTC().Format(time.RFC3339), "", cfg)
 	if err != nil {
 		return "", "", err
 	}