Bumping apt RSA key length requirements to 3072-bit (2048 w/ warning) for 24.04
Adrien Nader
adrien at notk.org
Wed Jan 24 07:48:20 UTC 2024
On Wed, Jan 24, 2024, Michael Hudson-Doyle wrote:
> On Tue, 23 Jan 2024 at 02:31, Jeremy Bícha <jeremy.bicha at canonical.com>
> wrote:
>
> > On Mon, Jan 22, 2024 at 7:36 AM Dimitri John Ledkov
> > <dimitri.ledkov at canonical.com> wrote:
> > > > Sadly shipping this in 24.04 means that PPAs owned by user
> > > > accounts created prior to 2014-03-11[3] until the key rotation
> > > > mechanism(s) [4][5] have been implemented.
> > > >
> > >
> > > I do wonder how many active old PPA owners remain in action.
> > >
> > > And if we can reset per-series signing keys on all of those for any
> > > new PPAs, and noble series (meaning single signe, new key for noble+).
> > >
> > > I have personally created a new team for myself, only added myself to
> > > be a member of said team, to gain access to PPAs signed with 4k RSA
> > > key, as I can no longer use my own ppas. I guess I should ask to
> > > delete them all, and request removal of the signing key to gain back
> > > personal PPAs with 4k signing key.
> >
> > Many of Ubuntu's core teams are older than 2014. This includes
> > Desktop, Checkbox, Kernel, Pythoneers, Security, Mozilla, LibreOffice,
> > Kubuntu, Lubuntu.
> >
> > I suspect that this change would break most of the heaviest used PPAs.
> > We need a coordinated transition.
> >
>
> I agree with Jeremy that we can't just blithely assume all PPAs created
> before 2014 are no longer much used.
>
> Unfortunately I don't know what that means for a way forward. Clearly 1024R
> keys should be retired. From one angle, I can imagine a scheme were a repo
> is dual-signed and signs the new key with the old to convince apt to update
> it but from another this seems impossible (and clearly very unlikely to
> land before noble GA).
We know of at least one active PPA with a 1024-bit key:
https://launchpad.net/~videolan/+archive/ubuntu/master-daily .
On the other hand, we can probably imagine there are only a few of them.
How do we do a large-scale analysis however? Actually, I think I spotted
something in launchpadlib but I haven't used that library yet and would
have to spend time discovering it.
--
Adrien
More information about the ubuntu-devel
mailing list