[Bug 1798073] [NEW] [SRU] Provide 2018 archive signing key on stable releases
Dimitri John Ledkov
launchpad at surgut.co.uk
Tue Oct 16 11:56:08 UTC 2018
*** This bug is a security vulnerability ***
Public security bug reported:
[Impact]
* For LTS releases to be able to bootstrap dual and single signed
future releases, and validate all signatures, 2018 archive signing key
should be SRUed back
* Also build process has improved documentation and vague validation
that all key snippets are signed correctly
[Test Case]
* $ apt-key list
...
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster at ubuntu.com>
...
apt-key list should contain the 2018 archive key.
[Regression Potential]
* Build-process, key algo, and key size, and file format are the same
as previous key snippets thus supported by all of gpg1 gpg2 gpgv1 gpgv2.
[Other Info]
* 2018 key is to be used for dual-signing in DD series and up
* Bileto PPA is built against security pocket only, suitable to be
released into both -security and -updates
** Affects: ubuntu-keyring (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: ubuntu-keyring (Ubuntu Bionic)
Importance: Undecided
Status: In Progress
** Description changed:
[Impact]
- * For LTS releases to be able to bootstrap dual and single signed
+ * For LTS releases to be able to bootstrap dual and single signed
future releases, and validate all signatures, 2018 archive signing key
should be SRUed back
- * Also build process has improved documentation and vague validation
+ * Also build process has improved documentation and vague validation
that all key snippets are signed correctly
[Test Case]
- * $ apt-key list
+ * $ apt-key list
...
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
- F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
+ F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster at ubuntu.com>
...
apt-key list should contain the 2018 archive key.
+ [Regression Potential]
- [Regression Potential]
-
- * Build-process, key algo, and key size, and file format are the same
+ * Build-process, key algo, and key size, and file format are the same
as previous key snippets thus supported by all of gpg1 gpg2 gpgv1 gpgv2.
[Other Info]
-
- * 2018 key is to be used for dual-signing in DD series and up
+
+ * 2018 key is to be used for dual-signing in DD series and up
+
+ * Bileto PPA is built against security pocket only, suitable to be
+ released into both -security and -updates
** Information type changed from Public to Public Security
** Also affects: ubuntu-keyring (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: ubuntu-keyring (Ubuntu)
Status: New => Fix Released
** Changed in: ubuntu-keyring (Ubuntu Bionic)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1798073
Title:
[SRU] Provide 2018 archive signing key on stable releases
Status in ubuntu-keyring package in Ubuntu:
Fix Released
Status in ubuntu-keyring source package in Bionic:
In Progress
Bug description:
[Impact]
* For LTS releases to be able to bootstrap dual and single signed
future releases, and validate all signatures, 2018 archive signing key
should be SRUed back
* Also build process has improved documentation and vague validation
that all key snippets are signed correctly
[Test Case]
* $ apt-key list
...
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster at ubuntu.com>
...
apt-key list should contain the 2018 archive key.
[Regression Potential]
* Build-process, key algo, and key size, and file format are the same
as previous key snippets thus supported by all of gpg1 gpg2 gpgv1
gpgv2.
[Other Info]
* 2018 key is to be used for dual-signing in DD series and up
* Bileto PPA is built against security pocket only, suitable to be
released into both -security and -updates
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1798073/+subscriptions
More information about the foundations-bugs
mailing list