Re: [SyncEvolution] signing syncevolution.org apt repos + download mirror

Hello! I've set up signing of the syncevolution.org repos. The key that I am using is not signed by anyone, so one has to trust that the initial download and fingerprint have not been tampered with. At least once that is done and worked, further manipulations will raise alarms. To ensure that apt trusts the new key, use (as root): apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B2EC3981 To verify the key, compare the fingerprint: apt-key finger ... pub 4096R/B2EC3981 2014-11-11 Key fingerprint = 5B77 1F15 FA70 1B73 A7DE 180D AE84 A13C B2EC 3981 uid SyncEvolution <syncevolution(a)syncevolution.org&gt; sub 4096R/2A54FB85 2014-11-11 sub 4096R/5E4ABB95 2014-11-11 [expires: 2015-11-11] ... Note that I chose to set an expiry date one year from now for the sub-key that actually gets used to sign the repos. My current understanding is that one year from now I will have to create a new sub-key, re-sign the repos and all users must refresh the key from the key server. Is that too much trouble? Should I rather replace the sub-key with a permanent one now, before many users add the expiring one?