Rejecting SHA1-signed repositories by default (Ubuntu edition)

Julian Andres Klode juliank at ubuntu.com
Thu Nov 24 07:39:18 UTC 2016 

On Wed, Nov 23, 2016 at 04:46:57PM -0800, Seth Arnold wrote:
> On Thu, Nov 24, 2016 at 01:19:12AM +0100, Julian Andres Klode wrote:
> > as previously (sort of) announced I want to turn off SHA1 on January 1st
> > by default in apt (in the 1.2 and 1.3 series xenial/yakkety ship). We
> > already turned this off for fields inside the (meta) index files,
> > this step now involves rejecting SHA1-based GPG signatures as well.
> 
> > The idea is that SHA1 gets rejected by default, but the
> > error may be lowered to a warning instead. I do not intent
> 
> Hello Julian, thanks for working on this.
> 
> Currently retrieving 12.04 LTS package listings using 16.04 LTS's apt
> packaging results in warnings like the following:
> 
> W: http://mirrors.kernel.org/ubuntu/dists/precise-updates/InRelease:
> Signature by key 630239CC130E1A7FD81A27B140976EAF437D05B5 uses weak digest
> algorithm (SHA1)
> 
> It'd be nice if the 'fail' could be configered per-release or per-deb
> lines or something similar, so that I could still retrieve information
> about older releases but newer releases get the enforced better security.

I'd like that, but we don't have a mechanism for that in place, so it's
really only a sensible wish for 1.4/zesty (and possibly 1.3/yakkety, which
has some toggles to allow unsigned/weak signed repos already).

> 
> (Since 12.04 LTS EOLs in ~six months maybe this isn't worth addressing.
> But I wanted to mention it all the same.)
> 
> May I also ask for the Valid-Until: lines to be turned on for zesty and
> newer releases at the same time? I've heard various reasons why we don't
> use it:

That would be nice IMO. APT supports it already, so it's only a matter
of turning it on in the archive.

> 
> - An attacker could simply supply valid lists from before we started
>   enforcing valid-until

That's a thing we can fix: 

Just reject downgrading from a Release file with Valid-Until
to one without Valid-Until (this means you can't ever remove a
Valid-Until field again, but you can of course set it to a very
far future like the year 9999 or something).

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

More information about the ubuntu-devel mailing list