Source repo contains obsolete public key for RPM packages

[mwinkel-dev]

Affiliation MIT PSFC

Version(s) Affected Found in alpha-7-142-80, but surely exists on all other platforms.

Platform(s) Rocky Linux 9, but applies to other RHEL platforms.

Installation Method(s) n/a

Describe the bug The deploy/platform/redhat/RPM-GPG-KEY-MDSplus file contains a public key that was created on 26-Oct-2011 and is thus obsolete. (The current signing key was generated on 6-Dec-2017.)

To Reproduce Steps to reproduce the behavior:

1. Create a new GPG keyring
2. Import the RPM-GPG-KEY-MDSplus file from the source repository
3. Import the RPM-GPG-KEY-MDSplus file from http://www.mdsplus.org/dist/RPM-GPG-KEY-MDSplus (or the build system)
4. run gpg --list-keys and notice the different creation dates

Expected behavior There are two options.

1. Remove the RPM-GPG-KEY-MDSplus public key from the source repository and instead distribute it via the MDSplus.org web site.
2. Or update the source repository so it contains the current public key.

Screenshots n/a

Additional context There might be value in saving all public keys used by the MDSplus project. Although unlikely, there might be scenarios that would require a customer to revive / restore an ancient server running a very old version of MDSplus. In that case, they might need the public key used to sign the packages in that old version. Storing the public keys in the source repo is probably more robust than storing them just on www.mdsplus.org or the build system.

If use the source repo to archive the MDSplus public signing key for the RPM packages, should probably do the same for the DEB packages. Perhaps move all public keys to deploy/public_keys/?

However, the private keys must not be archived in the source repo. The private keys must be stored elsewhere (i.e., call it the "vault"). And it would be wise to store the public keys in the "vault" too. So, perhaps it would be best to remove the public keys from the source repo.