[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
I removed then re-added the ppas which had the warnings. After running 'apt update', I don't get warnings anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
3. APT, when checking the InRelease file, trusts it (and it could only become trusted with the strong key signature, the only it knows), but also sees a second signature with a week algorithm. Emits a warning. So, I only see a false warning for the user: the system is safe using the stronger key, and the legacy signature raises a warning that shouldn't be used anyway No, APT only issues warnings for keys that were actually used to verify a signature, so if you see a warning from APT, the key is still in your keyring. In 24.10 you can use `add-apt-repository --refresh-keys` to refresh all PPA keys and list any other keys. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
Dual signing started back then but it finished in July and the default key exposed was switched to the newest for August. ** Changed in: software-properties (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
Are they? Because it looks like the same as in original description for me, but I'm late to this party, maybe something else happened in the meantime? Also, I think a problem does exist: the warning is still written even when system is totally fine, and if that has changed it's still here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
There’s no misunderstanding. The server’s behavior seems to have changed since I reported this. $ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpgv … gpgv: Signature made Tue 30 Jul 2024 01:11:33 AM PDT gpgv:using RSA key F911AB184317630C59970973E363C90F8F1B6217 gpgv: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" gpgv: Signature made Tue 30 Jul 2024 01:11:33 AM PDT gpgv:using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24 gpgv: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" Note that the two signatures are now in the other order. Lacking any input from the Launchpad team, I have no way to tell whether this was a deliberate bugfix or just a random hash sorting fluctuation that could regress at any time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
I believe there is a misunderstanding of the issue: 1. Yes, said archive is dual signed by two keys, one of them is 1024 rsa. 2. apt-add-repository for me added the strong 4096 rsa key in the sources.list.d file. It can be checked by just copying the key block out and feeding it into gpg, it shows it's a public key F911AB184317630C59970973E363C90F8F1B6217 rsa4096. 3. APT, when checking the InRelease file, trusts it (and it could only become trusted with the strong key signature, the only it knows), but also sees a second signature with a week algorithm. Emits a warning. So, I only see a false warning for the user: the system is safe using the stronger key, and the legacy signature raises a warning that shouldn't be used anyway. But older systems that don't use 4096 rsa keys yet would see two signatures, one of them they trust (even if it's weak, HERE the warning if not rejection would be appropriate) and also another one that they don't trust since they don't know of it yet (that may raise a message that while the signature we trust is weak there seem to be a better one, go check the source). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
In my opinion, a weak key indirectly (not far from "almost directly") compromises the whole system. This is highest possible level Importance / priority. Security urgency. That goes for any other weak RSA in any launchpad PPAs. TODO: replace all Launchpad weak keys with at least RSA4096 and think about PQA safety in mind Thank you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
** Description changed: After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04, ‘apt update’ gives this warning: W: https://ppa.launchpadcontent.net/git- core/ppa/ubuntu/dists/noble/InRelease: Signature by key E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (rsa1024) But this PPA is dual-signed by two keys, only one of which is weak. add-apt-repository has chosen to install the rsa1024 key in sources.list.d. It should choose the rsa4096 key instead. - $ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpg + $ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpgv … gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT gpg:using RSA key F911AB184317630C59970973E363C90F8F1B6217 gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F911 AB18 4317 630C 5997 0973 E363 C90F 8F1B 6217 gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT gpg:using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24 gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24 $ gpg --list-keys F911AB184317630C59970973E363C90F8F1B6217 E1DD270288B4E6030699E45FA1715D88E1DF1F24 pub rsa1024 2009-01-22 [SC] - E1DD270288B4E6030699E45FA1715D88E1DF1F24 + E1DD270288B4E6030699E45FA1715D88E1DF1F24 uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers pub rsa4096 2024-04-24 [SC] - F911AB184317630C59970973E363C90F8F1B6217 + F911AB184317630C59970973E363C90F8F1B6217 uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers Context: https://discourse.ubuntu.com/t/new-requirements-for-apt- repository-signing-in-24-04/42854 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: software-properties (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs