[Bug 2073126] Re: Only revoke RSA explicitly
Julian Andres Klode
2073126 at bugs.launchpad.net
Mon Jul 15 17:30:11 UTC 2024
With the change we have added all curves with 256 or more bits to the assertion:
APT::Key::Assert-Pubkey-Algo
">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1";
We are also introducing a new next level:
APT::Key::Assert-Pubkey-Algo::Next
">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512";
- keys not falling into this string are producing a warning.
As well as a 'future' level:
APT::Key::Assert-Pubkey-Algo::Future ">=rsa3072,ed25519,ed448";
- keys not falling into this string are producing an --audit message
only
** Summary changed:
- Only revoke RSA explicitly
+ More nuanced public key algorithm revocation
** Also affects: apt (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: apt (Ubuntu Oracular)
Importance: Undecided
Assignee: Julian Andres Klode (juliank)
Status: New
** Changed in: apt (Ubuntu Noble)
Milestone: None => ubuntu-24.04.1
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2073126
Title:
More nuanced public key algorithm revocation
Status in apt package in Ubuntu:
New
Status in apt source package in Noble:
New
Status in apt source package in Oracular:
New
Bug description:
APT 2.9.x and 2.8.0 revoke any of the non-asserted algorithms, we
should modify the mechanism such that only RSA1024 is raised to an
error to avoid unwanted regressions while still keeping the set of
fully supported algorithms small.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions
More information about the foundations-bugs
mailing list