[Bug 1809027] Re: Make retired Ubuntu keyrings available from the archive
Dan Watkins
daniel.watkins at canonical.com
Tue Dec 18 19:09:33 UTC 2018
** Description changed:
Currently, if an Ubuntu developer (or their code) is attempting to
interact with the precise archive (which is still supported in some form
via ESM) from a machine running bionic or later, they will run in to
issues verifying signatures, because the keys used to sign the precise
archive are no longer included in the default keyring as of bionic.
+
+ (Some form of this problem will present every time an archive key
+ rotation happens; eventually the old key will no longer be trusted, and
+ similar failures to the ones today will occur.)
Whilst the old keys should never be used by the system's apt (or other
installed software), it would be good if there were some way to install
those keys from the archives for projects which knowingly want to use
the older signatures. (The old keys should be in a path that isn't
currently used by anything, so that they have to be explicitly used.)
(This bug came out of a discussion on
https://code.launchpad.net/~smoser/vmbuilder/mfdiff-apt-key-
transition/+merge/313797.)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1809027
Title:
Make retired Ubuntu keyrings available from the archive
Status in ubuntu-keyring package in Ubuntu:
New
Bug description:
Currently, if an Ubuntu developer (or their code) is attempting to
interact with the precise archive (which is still supported in some
form via ESM) from a machine running bionic or later, they will run in
to issues verifying signatures, because the keys used to sign the
precise archive are no longer included in the default keyring as of
bionic.
(Some form of this problem will present every time an archive key
rotation happens; eventually the old key will no longer be trusted,
and similar failures to the ones today will occur.)
Whilst the old keys should never be used by the system's apt (or other
installed software), it would be good if there were some way to
install those keys from the archives for projects which knowingly want
to use the older signatures. (The old keys should be in a path that
isn't currently used by anything, so that they have to be explicitly
used.)
(This bug came out of a discussion on
https://code.launchpad.net/~smoser/vmbuilder/mfdiff-apt-key-
transition/+merge/313797.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1809027/+subscriptions
More information about the foundations-bugs
mailing list