[Merge] lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k into lp:ubuntu-archive-publishing

[Steve Langasek]

Diff comments:

> === modified file 'publish-distro.d/10-sign-releases'
> --- publish-distro.d/10-sign-releases	2016-11-03 22:59:49 +0000
> +++ publish-distro.d/10-sign-releases	2016-11-17 17:24:04 +0000
> @@ -35,13 +35,17 @@
>  		case "$series:$1" in
>  		    # Use 1024 key for old releases
>  		    warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
> -			printf '%s\n' "-u 437D05B5"
> -			;;
> -		    # Use single-signature, old 1024 key, for dist-upgrade tarballs (historical)
> -		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*|utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
> -			printf '%s\n' "-u 437D05B5"
> -			;;
> -		    # Use dual-signatures for the archive, for a transitioning period
> +			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5"
> +			;;
> +		    # Use single-signature, old 1024 key, for upgrades from distributions with 1k key only
> +		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*)
> +			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5"
> +			;;
> +		    # Use single-signature, new 4096 key, for upgrades from distributions with 4k present
> +		    utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
> +			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"                

This key's digest preferences are:
     Digest: SHA256, SHA1, SHA384, SHA512, SHA224
The comments in the script note that we have to specify the digest-algo for the dual signature case because the keys have different preferences.  But is there any reason we shouldn't update the keys' preferences instead of hard-coding it in the script?

> +			;;
> +		    # Use dual-signatures for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
>  		    quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
>  			# 437D05B5 and C0B21F32 have different digest
>  			# preferences.  GnuPG refuses to consider multiple


-- 
https://code.launchpad.net/~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k/+merge/311181
Your team Ubuntu Package Archive Administrators is requested to review the proposed merge of lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k into lp:ubuntu-archive-publishing.