Bumping apt RSA key length requirements to 3072-bit (2048 w/ warning) for 24.04

Brian Murray brian at canonical.com
Tue Jan 23 17:08:29 UTC 2024

On Thu, Jan 18, 2024 at 07:01:48PM +0100, Julian Andres Klode wrote:
> Hi,
> we just noticed again that we are still trusting 1024R keys for
> signing repositories in APT, arguably because we do not have a
> means to tell gpgv the minimum key size.
> While the upstream bug[0] is being worked on,
> I have written a hack[1] that - if APT_SIGNING_REQUIREMENTS_HACK
> environment variable is set - makes gpgv error out on keys smaller
> than 2048R and warn on keys smaller than 3072R (following the
> current OpenPGP draft size length requirements, 3072 is a SHOULD,
> 2048 a MUST).
> I have also written code in APT to actually parse GPG error and
> warning status messages, and set the environment variable.[2]
> Sadly shipping this in 24.04 means that PPAs owned by user
> accounts created prior to 2014-03-11[3] until the key rotation
> mechanism(s) [4][5] have been implemented.

I think there is a word missing in the above paragraph. What
specifically will happen to PPAs owned by user accounts created prior to

Brian Murray

More information about the ubuntu-devel mailing list