I removed then re-added the ppas which had the warnings. After running
'apt update', I don't get warnings anymore.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065932
Title:
Only adds the weak key
3. APT, when checking the InRelease file, trusts it (and it could only
become trusted with the strong key signature, the only it knows), but
also sees a second signature with a week algorithm. Emits a warning.
So, I only see a false warning for the user: the system is safe using
the stronger key,
Dual signing started back then but it finished in July and the default
key exposed was switched to the newest for August.
** Changed in: software-properties (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
Are they? Because it looks like the same as in original description for
me, but I'm late to this party, maybe something else happened in the
meantime?
Also, I think a problem does exist: the warning is still written even
when system is totally fine, and if that has changed it's still here.
--
Yo
There’s no misunderstanding. The server’s behavior seems to have
changed since I reported this.
$ curl
'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' |
gpgv
…
gpgv: Signature made Tue 30 Jul 2024 01:11:33 AM PDT
gpgv:using RSA key F911AB184317630C59
I believe there is a misunderstanding of the issue:
1. Yes, said archive is dual signed by two keys, one of them is 1024 rsa.
2. apt-add-repository for me added the strong 4096 rsa key in the
sources.list.d file. It can be checked by just copying the key block out and
feeding it into gpg, it sho
In my opinion, a weak key indirectly (not far from "almost directly")
compromises the whole system.
This is highest possible level Importance / priority.
Security urgency.
That goes for any other weak RSA in any launchpad PPAs.
TODO: replace all Launchpad weak keys with at least RSA4096 and thi
** Description changed:
After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04,
‘apt update’ gives this warning:
W: https://ppa.launchpadcontent.net/git-
core/ppa/ubuntu/dists/noble/InRelease: Signature by key
E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: software-properties (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065932