[Merge] lp:~xnox/ubuntu-archive-publishing/gnupg2 into lp:ubuntu-archive-publishing

Steve Langasek steve.langasek at canonical.com
Fri Nov 4 14:47:20 UTC 2016 

Review: Needs Fixing



Diff comments:

> === modified file 'publish-distro.d/10-sign-releases'
> --- publish-distro.d/10-sign-releases	2016-06-20 17:40:52 +0000
> +++ publish-distro.d/10-sign-releases	2016-11-03 23:00:00 +0000
> @@ -33,10 +33,16 @@
>  	case $LPCONFIG in
>  	    ftpmaster-publish)
>  		case "$series:$1" in
> -		    warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*|*:*/dist-upgrader*)
> -			printf '%s\n' "-u 437D05B5"
> -			;;
> -		    *)
> +		    # Use 1024 key for old releases
> +		    warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
> +			printf '%s\n' "-u 437D05B5"
> +			;;
> +		    # Use single-signature, old 1024 key, for dist-upgrade tarballs (historical)
> +		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*|utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)

This leaves us still trusting the 1024-bit key for dist-upgrades from trusty to xenial.  That shouldn't be necessary, when trusty already knows about the new key.  I would like to see us using the 4096 key at least for xenial and later dist-upgrader tarballs.

> +			printf '%s\n' "-u 437D05B5"
> +			;;
> +		    # Use dual-signatures for the archive, for a transitioning period
> +		    quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
>  			# 437D05B5 and C0B21F32 have different digest
>  			# preferences.  GnuPG refuses to consider multiple
>  			# signatures unless they use the same signature
> @@ -48,6 +54,10 @@
>  			# SHA-512 for both.
>  			printf '%s\n' "-u 437D05B5 -u C0B21F32 --digest-algo SHA512"

let's use the long key id here too for consistency, please (rather than short id here, long id for same key below)

>  			;;
> +		    *)
> +		    # For zesty and up, including dist-upgrade tarballs, use 2012 4k RSA key only
> +			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
> +			;;
>  		esac
>  		;;
>  	    derived-distro-publish)


-- 
https://code.launchpad.net/~xnox/ubuntu-archive-publishing/gnupg2/+merge/307171
Your team Ubuntu Package Archive Administrators is subscribed to branch lp:ubuntu-archive-publishing.

More information about the ubuntu-archive mailing list