-
Type: Bug
-
Status: Resolved
-
Priority: Blocker
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
Migration is not done properly during a (ZSK) roll over. New zsk will be marked OO instead of OR. Old key will then be retracted, but there are still signatures made with it.
Migration script is at fault. Also we need to consider how the enforcer signals the signer not to use a key at all. The signconf still had the key, but without publish or active flag. This means for the signer that it is allowed to keep the signatures. How to fix this?