[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
Dmitry Lapshin
2065932 at bugs.launchpad.net
Sun Sep 1 13:19:13 UTC 2024
I believe there is a misunderstanding of the issue:
1. Yes, said archive is dual signed by two keys, one of them is 1024 rsa.
2. apt-add-repository for me added the strong 4096 rsa key in the sources.list.d file. It can be checked by just copying the key block out and feeding it into gpg, it shows it's a public key F911AB184317630C59970973E363C90F8F1B6217 rsa4096.
3. APT, when checking the InRelease file, trusts it (and it could only become trusted with the strong key signature, the only it knows), but also sees a second signature with a week algorithm. Emits a warning.
So, I only see a false warning for the user: the system is safe using
the stronger key, and the legacy signature raises a warning that
shouldn't be used anyway. But older systems that don't use 4096 rsa keys
yet would see two signatures, one of them they trust (even if it's weak,
HERE the warning if not rejection would be appropriate) and also another
one that they don't trust since they don't know of it yet (that may
raise a message that while the signature we trust is weak there seem to
be a better one, go check the source).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/2065932
Title:
Only adds the weak key for PPAs dual-signed with both weak and strong
keys
Status in software-properties package in Ubuntu:
Confirmed
Bug description:
After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04,
‘apt update’ gives this warning:
W: https://ppa.launchpadcontent.net/git-
core/ppa/ubuntu/dists/noble/InRelease: Signature by key
E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (rsa1024)
But this PPA is dual-signed by two keys, only one of which is weak.
add-apt-repository has chosen to install the rsa1024 key in
sources.list.d. It should choose the rsa4096 key instead.
$ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpgv
…
gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
gpg: using RSA key F911AB184317630C59970973E363C90F8F1B6217
gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F911 AB18 4317 630C 5997 0973 E363 C90F 8F1B 6217
gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
gpg: using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24
gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24
$ gpg --list-keys F911AB184317630C59970973E363C90F8F1B6217 E1DD270288B4E6030699E45FA1715D88E1DF1F24
pub rsa1024 2009-01-22 [SC]
E1DD270288B4E6030699E45FA1715D88E1DF1F24
uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers
pub rsa4096 2024-04-24 [SC]
F911AB184317630C59970973E363C90F8F1B6217
uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers
Context: https://discourse.ubuntu.com/t/new-requirements-for-apt-
repository-signing-in-24-04/42854
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions
More information about the foundations-bugs
mailing list