Generate new package signing key before expiration

NOTE: This issue is in regards to the Package signing keys, not the Repository signing keys. The issue for renewing/extending the repository keys can be found at gitlab-org/distribution/team-tasks#356 (closed)

Original post

Problem statement

The current package signing key will expire in 1 August 2019. After this time, new packages will appear as untrusted.

We need to do two things:

• Start signing packages with a new key
• Determine the best way to deliver the key to existing installations so they can avoid further manual action
  • One option is a package which can update the keyring, like debian-archive-keyring

Proposed solution

For this iteration, we should:

1. Research best practices for package signing key lifetimes, verify with security team
2. Generate a new key with that lifetime
3. Sign packages going forward with both old and new key, so upgrades work without getting the new key.
   • Not possible due to limitations, within Omnibus package signing content.

Actionable work

See this comment from 2019-04-12

Summary:

For now, the most immediately feasible and actionable item is to extend the existing package keys and communicate the changes well.

Action:

• Extend existing key
• Issue new public signature
• Document additional public signature (we can't change the signature on old packages)
• Communicate to users via release posts that v12.0 will be signed with an extended signature
• Create a policy to repeat this process for every major release. (via #4283)
• Update the howto: manage package signing keys of the gitlab-com/runbooks