[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

I removed then re-added the ppas which had the warnings. After running 'apt update', I don't get warnings anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

3. APT, when checking the InRelease file, trusts it (and it could only become trusted with the strong key signature, the only it knows), but also sees a second signature with a week algorithm. Emits a warning. So, I only see a false warning for the user: the system is safe using the stronger key,

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

Dual signing started back then but it finished in July and the default key exposed was switched to the newest for August. ** Changed in: software-properties (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscr

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

Are they? Because it looks like the same as in original description for me, but I'm late to this party, maybe something else happened in the meantime? Also, I think a problem does exist: the warning is still written even when system is totally fine, and if that has changed it's still here. -- Yo

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

There’s no misunderstanding. The server’s behavior seems to have changed since I reported this. $ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpgv … gpgv: Signature made Tue 30 Jul 2024 01:11:33 AM PDT gpgv:using RSA key F911AB184317630C59

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

I believe there is a misunderstanding of the issue: 1. Yes, said archive is dual signed by two keys, one of them is 1024 rsa. 2. apt-add-repository for me added the strong 4096 rsa key in the sources.list.d file. It can be checked by just copying the key block out and feeding it into gpg, it sho

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

In my opinion, a weak key indirectly (not far from "almost directly") compromises the whole system. This is highest possible level Importance / priority. Security urgency. That goes for any other weak RSA in any launchpad PPAs. TODO: replace all Launchpad weak keys with at least RSA4096 and thi

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

** Description changed: After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04, ‘apt update’ gives this warning: W: https://ppa.launchpadcontent.net/git- core/ppa/ubuntu/dists/noble/InRelease: Signature by key E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: software-properties (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932