Bumping apt RSA key length requirements to 3072-bit (2048 w/ warning) for 24.04

Michael Hudson-Doyle michael.hudson at canonical.com
Wed Jan 24 03:50:48 UTC 2024

On Tue, 23 Jan 2024 at 02:31, Jeremy Bícha <jeremy.bicha at canonical.com>

> On Mon, Jan 22, 2024 at 7:36 AM Dimitri John Ledkov
> <dimitri.ledkov at canonical.com> wrote:
> > > Sadly shipping this in 24.04 means that PPAs owned by user
> > > accounts created prior to 2014-03-11[3] until the key rotation
> > > mechanism(s) [4][5] have been implemented.
> > >
> >
> > I do wonder how many active old PPA owners remain in action.
> >
> > And if we can reset per-series signing keys on all of those for any
> > new PPAs, and noble series (meaning single signe, new key for noble+).
> >
> > I have personally created a new team for myself, only added myself to
> > be a member of said team, to gain access to PPAs signed with 4k RSA
> > key, as I can no longer use my own ppas. I guess I should ask to
> > delete them all, and request removal of the signing key to gain back
> > personal PPAs with 4k signing key.
> Many of Ubuntu's core teams are older than 2014. This includes
> Desktop, Checkbox, Kernel, Pythoneers, Security, Mozilla, LibreOffice,
> Kubuntu, Lubuntu.
> I suspect that this change would break most of the heaviest used PPAs.
> We need a coordinated transition.

I agree with Jeremy that we can't just blithely assume all PPAs created
before 2014 are no longer much used.

Unfortunately I don't know what that means for a way forward. Clearly 1024R
keys should be retired. From one angle, I can imagine a scheme were a repo
is dual-signed and signs the new key with the old to convince apt to update
it but from another this seems impossible (and clearly very unlikely to
land before noble GA).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20240124/81cd9b0b/attachment.html>

More information about the ubuntu-devel mailing list