Looking for a version with a specific patch

[sabarnou]

Hi, kinda new to this, please bear with me.

Due to this, SHA1 sigs in GPG Keys will be phased out from Debian 13 on the 1st of February.

Sadly, i'm in the uncomfortable situation where I need to prepare for the change at my company (maintenance of the aptly platforms were handed to me a month ago, still figuring out some things).

I stumbled on this #1479 and, if I understood it right, it will give me the option to keep the old key while configuring a new, more secure, one. Did I got that right ?

Now, while I wait for a release, is there a nightly version with this patch I can use on a testing environment so that I can prepare for the move ?

I've tried some nightlies last week but it seems the PR isn't in it yet.

[neolynx]

Hi @sabarnou !

The PR will be merged soon, I hope this addresses the issue, but @abregar might know more...

Once merged, there will be a CI build, until then you could try the build from Artifacts in the PR itself: https://github.com/aptly-dev/aptly/actions/runs/21112952889?pr=1479

[sabarnou]

Great, exactly what I needed !
I'll look into those builds. Thanks !

[abregar]

Hi, dropping a line here @sabarnou. I was in a similar situation myself, and smoothly transitioning to a more secure GPG key with dual signatures saved the day. I’m currently running the nightly build with this ticket resolved, and it has been running smoothly in production for several months.

And I’m looking forward to seeing this included in a released version. @neolynx, with the latest contribution I see increased coverage — do you think this is sufficient for release, or would additional contributions be appreciated?