Re: Verifying GPG keys for Ubuntu install

[Graham Percival <gperciva@tarsnap.com>]

On Fri, Jan 21, 2022 at 10:24:06PM +0000, Brian Foley wrote:
> This was exactly the problem!  I did not realise that i already had the 
> old key in the directory I was working in. Apologies for the silly error!

No problem; this is the second time I've seen it this year, so definitely
something that we should address in some manner.

(Others idea are to warn people about wget's behaviour, or ask them to use
`wget -N url`, or begin by doing `rm tarsnap-deb-packaging-key.asc`.
curl is another option, but last time I checked, it wasn't installed by
default on Debian systems.)

> Having the year in the name would definitely have solved my particular 
> issue, but I can see that this would also be an extra maintenance 
> overhead for you guys.

I'm not too concerned about our overhead; the concern is with other people.
For example, if somebody wants to install the deb package in a container with
their own custom shell script.  At the moment, the instructions can be put
into a shell script without any fuss.

Granted, if we included the year then those custom shell scripts could be
written as:
    year=$(date +%Y)
    wget https://pkg.tarsnap.com/tarsnap-deb-packaging-key-${year}.asc
    gpg --dearmor tarsnap-deb-packaging-key-${year}.asc

etc., so it wouldn't be impossible to manage.

Cheers,
- Graham