[Bug 2073126] Re: More nuanced public key algorithm revocation
This bug was fixed in the package apt - 2.8.3 --- apt (2.8.3) noble; urgency=medium * Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126) - Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment" - Revert "Only warn about =2.7.6 and improve comment (follow-up for LP: #2073126) apt (2.8.1) noble; urgency=medium * Only revoke weak RSA keys for now, add 'next' and 'future' levels (backported from 2.9.7) Note that the changes to warn about keys not matching the future level in the --audit level are not fully included, as the --audit feature has not yet been backported. (LP: #2073126) * Introduce further mitigation on upgrades from 2.7.x to allow these systems to continue using rsa1024 repositories with warnings until the 24.04.2 point release (LP: #2073126) apt (2.8.0) noble; urgency=medium [ Julian Andres Klode ] * Revert "Temporarily downgrade key assertions to "soon worthless"" We temporarily downgraded the errors to warnings to give the launchpad PPAs time to be fixed, but warnings are not safe: Untrusted keys could be hiding on your system, but just not used at the moment. Hence revert this so we get the errors we want. (LP: #2060721) * Branch off the stable 2.8.y branch for noble: - CI: Test in ubuntu:noble images for 2.8.y - debian/gbp.conf: Point at the 2.8.y branch [ David Kalnischkies ] * Test suite fixes: - Avoid subshell hiding failure report from testfilestats - Ignore umask of leftover diff_Index in failed pdiff test * Documentation translation fixes: - Fix and unfuzzy previous VCG/Graphviz URI change -- Julian Andres Klode Tue, 22 Oct 2024 15:02:22 +0200 ** Changed in: apt (Ubuntu Noble) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Removing block-proposed-noble as update-manager and apt are both ready to release now, having just verified update-manager/oracular. ** Tags removed: block-proposed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
I first upgraded apt, libapt-pkg6.0t64 to 2.8.3. Validation for RSA1024 remaining weak: root@noble:~# gpg --quick-gen-key [email protected] rsa1024 gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/86F909B8AA125825E11A72DE25BB51DD6ADA3043.rev' public and secret key created and signed. Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. pub rsa1024 2025-04-25 [SC] [expires: 2028-04-24] 86F909B8AA125825E11A72DE25BB51DD6ADA3043 uid [email protected] root@noble:~# gpg --export > /etc/apt/trusted.gpg.d/test-key.gpg root@noble:~# apt download apt root@noble:~# apt-ftparchive packages . > Packages root@noble:~# apt-ftparchive release . > Release root@noble:~# gpg --clearsign < Release > InRelease root@noble:~# apt update Get:1 file:/root ./ InRelease [1178 B] Get:1 file:/root ./ InRelease [1178 B] Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease Get:3 file:/root ./ Packages [1908 B] Hit:4 http://security.ubuntu.com/ubuntu noble-security InRelease Hit:5 http://archive.ubuntu.com/ubuntu noble InRelease Hit:6 http://archive.ubuntu.com/ubuntu noble-updates InRelease Hit:7 http://archive.ubuntu.com/ubuntu noble-backports InRelease Hit:8 http://archive.ubuntu.com/ubuntu noble-proposed InRelease Reading package lists... Done Building dependency tree... Done Reading state information... Done 11 packages can be upgraded. Run 'apt list --upgradable' to see them. N: Download is performed unsandboxed as root as file '/root/./InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) W: file:/root/./InRelease: Signature by key 86F909B8AA125825E11A72DE25BB51DD6ADA3043 uses weak algorithm (rsa1024) -> Warning is there. For NIST-P256 becoming "OK" I start with the old version assert the warning is there, and then upgrade and see the warning is gone. root@noble:~# rm -r .gnupg root@noble:~# gpg --quick-gen-key [email protected] nistp256 [...] root@noble:~# gpg --clearsign < Release > InRelease root@noble:~# gpg --export > /etc/apt/trusted.gpg.d/test-key.gpg root@noble:~# apt update Get:1 file:/root ./ InRelease [1093 B] Get:1 file:/root ./ InRelease [1093 B] Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease Hit:3 http://security.ubuntu.com/ubuntu xenial-security InRelease Hit:4 http://archive.ubuntu.com/ubuntu noble-updates InRelease Hit:5 http://security.ubuntu.com/ubuntu noble-security InRelease Hit:6 http://archive.ubuntu.com/ubuntu noble-backports InRelease Hit:7 http://archive.ubuntu.com/ubuntu noble-proposed InRelease Reading package lists... Done Building dependency tree... Done Reading state information... Done 12 packages can be upgraded. Run 'apt list --upgradable' to see them. N: Download is performed unsandboxed as root as file '/root/./InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) W: file:/root/./InRelease: Signature by key D93578FC4117B29A26244AF8D0CD6995D6A102A4 uses weak algorithm (nistp256) root@noble:~# apt install apt/noble Selected version '2.8.3' (localhost, Ubuntu:24.04/noble-proposed [amd64]) for 'apt' Selected version '2.8.3' (Ubuntu:24.04/noble-proposed [amd64]) for 'libapt-pkg6.0t64' because of 'apt' root@noble:~# apt update Get:1 file:/root ./ InRelease [1093 B] Get:1 file:/root ./ InRelease [1093 B] Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease Hit:3 http://security.ubuntu.com/ubuntu noble-security InRelease Hit:4 http://archive.ubuntu.com/ubuntu noble InRelease Hit:5 http://archive.ubuntu.com/ubuntu noble-updates InRelease Hit:6 http://archive.ubuntu.com/ubuntu noble-backports InRelease Hit:7 http://archive.ubuntu.com/ubuntu noble-proposed InRelease Reading package lists... Done Building dependency tree... Done Reading state information... Done 11 packages can be upgraded. Run 'apt list --upgradable' to see them. N: Download is performed unsandboxed as root as file '/root/./InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions --
[Bug 2073126] Re: More nuanced public key algorithm revocation
Already in 2015 the nice folks at https://weakdh.org/ were hypothesizing that 1024 bit DSA was unsafe against very well resourced attackers. We have to draw a line somewhere, and we might as well draw it here, today. Affected parties can modify their APT configuration, right? I'm fine regressing dsa1024 in an update that's generally designed to freshen our allowed cryptography. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
The update inadvertently disabled DSA signatures. We believed DSA signatures (1) could not use SHA2 hashes and (2) were not trusted anyway, but it seems that xenial, which is dual-signed with a DSA1024 bit key has a SHA512 DSA1024 signature and that is still considered trusted. This is causing the update-manager test suite to fail, which we missed in oracular because the release pocket regressed at some point earlier, so we never noticed it regressed when the apt changes landed there. We can add >=dsa1024 back to the list of warning-only algorithms or proceed with the update as is (and fix update-manager's test suite to use the rsa key to verify xenial) which would be better from the security posture stance. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
The level has changed: Algorithms missing in "APT::Key::Assert-Pubkey-Algo" cause errors now, whereas algorithms in "APT::Key::Assert-Pubkey-Algo::Next" cause warnings. Accordingly, the values were moved around such that "APT::Key::Assert-Pubkey-Algo::Next" matches the old APT::Key::Assert-Pubkey-Algo (with NIST curves added); and "APT::Key::Assert-Pubkey-Algo" also allows 2048-bit (and brainpool, nist, secp256) The result is that rsa<2048, brainpool curves, secp256k1 do not change behavior vs the old version (they now cause warnings), but NIST curves no longer cause warnings per popular request. Which coincidentally is why we need two levels. This matches the behavior in oracular and plucky. This _may_ cause a regression if you purposefully override `APT::Key::Assert-Pubkey-Algo` to *NOT* include algorithms that you actually use; which seems highly unlikely given that you'd be introducing warnings to your system. ** Description changed: (Please see https://wiki.ubuntu.com/AptUpdates for the versioning) [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. Also existing users may have third-party repositories that use 1024-bit RSA keys and we have not adequately informed them yet perhaps. We tried to revoke them in the 2.8.0, 2.8.1, and 2.8.2 updates (see bug 2060721). This has been deferred to a later update than 2.8.3 such that we can solve the warnings and other bugs. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: ">=rsa1024,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; Note that we still keep rsa1024 as allowed. At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible). This level is unused in the 24.04 upload as the corresponding "audit" log level has not been backported to it. [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. Some smoke tests: - Observe one a system with a 1024R signed repository that it keeps working and produces a warning (ensures a key listed in "next" but not in "current" warns) - Sign a repository with a NIST P-256 key and ensure it does not produce warnings (ensures that a key listed in "current" and "next" does not warn) [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. + + The change in behavior of APT::Key::Assert-Pubkey-Algo _may_ cause a + regression if you purposefully override `APT::Key::Assert-Pubkey-Algo` + to *NOT* include algorithms that you actually use; which seems highly + unlikely given that you'd be introducing warnings to your system. If you + don't have a custom value set (or no warnings with your custom value), + you have no regression there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Ah, sorry about neglecting the other curves here. I'm much less concerned about the curve changes. Someone who chooses these curves has thought about it and made their choice. Someone who is on RSA1024 might not know that they're on the "very best of y2k" playlist. The NSA may have suggested everybody move away from these curves ten years ago but did so without publishing their reasoning, if I recall correctly, and there hasn't been compelling movement in the open literature that I know of. To the best of my knowledge, these curves are fine now and nobody expects drastic movement in the next few years. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
So to summarize, and please confirm or deny my understanding below,
comparing to 2.7.14build2 which is current noble release+updates:
- Assert-Pubkey-Algo reintroduces >= rsa1024 (was rsa2048), and allows more
nist curves[1]. It's downgrading the RSA key size to 1024.
- there is no error whatsoever if an algorithm is not in the Pubkey-Algo list,
correct? Just warnings
- new levels are introduced: next, and future[2]. How can the user switch
between them? I see after installing 2.8.3 that I have the default, next, and
future levels, but it's not clear how "next" and "future" are to be used.
1. diff:
- Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo",
">=rsa1024,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1");
2. diff
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Next",
">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Future",
">=rsa3072,ed25519,ed448");
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073126
Title:
More nuanced public key algorithm revocation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Thanks @Seth! Your comment #18 seems to have focused mostly on the RSA
keys, did you get a chance to also look at the new NIST, brainpoolP, and
secp algorithms that were added/swapped around? From the table in
comment #22 (also comment #20), looks like another change is that NIST
P-{256,384,512} in noble issue a warning, and in the SRU switched no
"good" (no warning or error). This SRU starts with the sentence "We have
received feedback from users that use NIST-P256 keys for their
repositories that are upset about receiving a warning.", which alludes
only to the 256 key size, not the others.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073126
Title:
More nuanced public key algorithm revocation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Here is a screenshot of the document from comment #20 ** Attachment added: "apt-security-levels.png" https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+attachment/5867457/+files/apt-security-levels.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
I tested with (only changed rsa from the defaults): APT::Key::Assert-Pubkey-Algo ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; APT::Key::Assert-Pubkey-Algo::Next ">=rsa5120,ed25519,ed448,nistp256,nistp384,nistp512"; APT::Key::Assert-Pubkey-Algo::Future ">=rsa6144,ed25519,ed448"; And got: $ sudo apt update Hit:1 http://br.archive.ubuntu.com/ubuntu noble InRelease Hit:2 http://br.archive.ubuntu.com/ubuntu noble-updates InRelease Hit:3 http://br.archive.ubuntu.com/ubuntu noble-backports InRelease Hit:4 http://br.archive.ubuntu.com/ubuntu noble-security InRelease Hit:5 https://ppa.launchpadcontent.net/ahasenack/apt-sru/ubuntu noble InRelease Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. W: http://br.archive.ubuntu.com/ubuntu/dists/noble/InRelease: Signature by key F6ECB3762474EDA9D21B7022871920D1991BC93C uses weak algorithm (rsa4096) W: http://br.archive.ubuntu.com/ubuntu/dists/noble-updates/InRelease: Signature by key F6ECB3762474EDA9D21B7022871920D1991BC93C uses weak algorithm (rsa4096) W: http://br.archive.ubuntu.com/ubuntu/dists/noble-backports/InRelease: Signature by key F6ECB3762474EDA9D21B7022871920D1991BC93C uses weak algorithm (rsa4096) W: http://br.archive.ubuntu.com/ubuntu/dists/noble-security/InRelease: Signature by key F6ECB3762474EDA9D21B7022871920D1991BC93C uses weak algorithm (rsa4096) W: https://ppa.launchpadcontent.net/ahasenack/apt-sru/ubuntu/dists/noble/InRelease: Signature by key 6BD1A790B3211D9CE0A04D073DA665FECBA631A9 uses weak algorithm (rsa4096) Meaning, rsa4096 is MISSING from ::Next, and I got a warning. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Ah, thank you both Andreas and Julian for working with me to understand these changes better. If we're already supporting rsa1024 in noble, that would explain why we haven't seen a deluge of support requests around it. Fair. Tightening it in an update a year later, absent impressive news, would be too much. I think I'm happy with this update now. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Put the security levels (noble release vs unapproved vs oracular) into a table in https://docs.google.com/document/d/1rIREl1ebAoJXyqjig5MlV1-Jae9EREcApuVMlKT1whQ/edit?tab=t.0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
> I don't understand why today is the right day to allow weaker RSA keys. I don't think that changed. To recap (and these changes are confusing, yes, but this is my understanding of the final result): # Noble release - there is only one list of crypto algorithms: Assert-Pubkey-Algo - anything NOT in that list will trigger a WARNING - RSA 1024 is NOT in that list, therefore we have a WARNING # This SRU - there are two new lists: Assert-Pubkey-Algo::Next and Assert-Pubkey-Algo::Future - the behavior of Assert-Pubkey-Algo CHANGED: now, algorithms not in this list will trigger an ERROR instead of a WARNING - algorithms NOT PRESENT in Assert-Pubkey-Algo::Next will issue a WARNING - RSA1024 was ADDED to Assert-Pubkey-Algo, so it's allowed - RSA1024 is NOT PRESENT in Assert-Pubkey-Algo::Next, so a WARNING is triggered In summary, RSA1024 triggers a WARNING in both noble release, and with this SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Thanks for your summary, Andreas, I found it very helpful. This guide appeared to be the newest from NIST that I could find on the topic of key lengths https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf -- page 21 (marked 11 on the page) appears to say n=1024 is still fine for "legacy use": "The algorithm or key length may only be used to process already protected information (e.g., decrypt ciphertext data or verify a digital signature)". A very literal reading would probably suggest that *old* InRelease files would be fine but *new* InRelease files wouldn't be. There'd be no reliable way to tell the age without actually validating the signature, so maybe it's academic, but I don't imagine they intended to allow installing software protected solely by rsa1024. I would prefer if we asked users to make this change themselves if they still have rsa1024 repositories somewhere. Noble has been out for almost a year. Ubuntu 24.04.1 was released over six months ago. If the >=rsa2048 restrictions were brand new, and we saw a deluge of complaints, maybe relaxing it would make sense. But what we've seen is a decade of people asking us how to prevent rsa1024 from being used. I don't understand why today is the right day to allow weaker RSA keys. All the other changes seem fine to me. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
@ubuntu-security, could I please get your take on the changes introduced by this SRU? I believe I summarized them in comment #16 (unless @juliank chimes in with a correction!). It's basically the list of crypto algorithms that need checking. RSA1024 still triggers a "weak key" warning. https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854/15 might help with some history, and with the choices of algorithms, but it's a long read. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
So from my understanding, these are the big changes in this SRU, regarding the crypto config. a) Algorithms MISSING from Assert-Pubkey-Algo are now treated as an ERROR, whereas before (noble release) they were WARNINGS; b) The list of algorithms in Assert-Pubkey-Algo changed: ">=rsa2048,ed25519,ed448"); ">=rsa1024,ed25519,ed448, nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"); b1) rsa2048 was replaced by rsa1024 b2) nist*, brainpool*, and secp256k1 were added to the list c) Two more algorithms lists were added: c1) Next: algorithms MISSING from this list will trigger a WARNING c2) Future: algorithms MISSING from this list will trigger an AUDIT event (not fully supported in this noble SRU yet, so this "Future" list can be ignored for now) Next", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512"); Future", ">=rsa3072,ed25519,ed448"); These lists, and how they apply, can be confusing. Here is another way to read these that I came up with: - Assert-Pubkey-Algo: list of PERMITTED algorithms. If a repository was signed with an algorithm/key NOT listed here, it will trigger an ERROR, regardless of the other lists. - Assert-Pubkey_Algo::Next: list of NO WARNING algorithms. If a repository was signed with an algorithm/key NOT listed here, it will trigger a WARNING. Should be a subset of the above. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
> Algorithms missing in "APT::Key::Assert-Pubkey-Algo" cause errors now, > whereas algorithms in > "APT::Key::Assert-Pubkey-Algo::Next" cause warnings. The word "missing" is, er, missing, in the second part of that sentence, right? The full correct sentence is (diff capitalized by me): Algorithms missing in "APT::Key::Assert-Pubkey-Algo" cause errors now, whereas algorithms MISSING in "APT::Key::Assert-Pubkey-Algo::Next" cause warnings. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Description changed: - (This is uploaded to noble as 2.8.1 per - https://wiki.ubuntu.com/AptUpdates) + (Please see https://wiki.ubuntu.com/AptUpdates for the versioning) [Impact] - We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. - - We also revoked additional ECC curves, which may still be considered - trusted, so we should not bump them to errors. + We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. Also existing users may have third-party repositories that use 1024-bit - RSA keys and we have not adequately informed them yet perhaps. + RSA keys and we have not adequately informed them yet perhaps. We tried + to revoke them in the 2.8.0, 2.8.1, and 2.8.2 updates (see bug 2060721). + This has been deferred to a later update than 2.8.3 such that we can + solve the warnings and other bugs. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: - ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; + ">=rsa1024,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible). - - We are also introducing a mitigation for existing 24.04 systems to not - upgrade the policy yet; by creating an apt.conf.d configuration file - that temporarily allows the 1024-bit RSA keys if upgraded from apt - 2.7.x; with the plan to remove them in 24.04.2. [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. The manual test cases are the same as for LP: #2060721. Test Case A: Existing noble system (warning) 0. Update an existing noble container to the new APT 1. Observe/etc/apt/apt.conf.d/00-temporary-rsa1024 being created 2. Add a PPA with an old 1024-bit signing key 3. Run apt update 4. Observe that the PPA is updated with a warning Test Case B: New noble system (error) 0. Bootstrap a new noble system including apt from proposed (using e.g. mmdebstrap) 1. Observe NO /etc/apt/apt.conf.d/00-temporary-rsa1024 2. Add a PPA with an old 1024-bit signing key 3. Run apt update 4. Observe that the PPA is not updated, but the other repositories are Test Case C: mantic -> noble (error) 0. Upgrade mantic to noble w/ apt from proposed, observe behavior as in B Test Case D: jammy -> noble (error) 0. Upgrade jammy to noble w/ apt from proposed, observe behavior as in B [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. ** Description changed: (Please see https://wiki.ubuntu.com/AptUpdates for the versioning) [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. Also existing users may have third-party repositories that use 1024-bit RSA keys and we have not adequately informed them yet perhaps. We tried to revoke them in the 2.8.0, 2.8.1, and 2.8.2 updates (see bug 2060721). This has been deferred to a later update than 2.8.3 such that we can solve the warnings and other bugs. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted:
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Changed in: apt (Ubuntu Noble) Milestone: ubuntu-24.04.1 => None -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Description changed: (This is uploaded to noble as 2.8.1 per https://wiki.ubuntu.com/AptUpdates) [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. Also existing users may have third-party repositories that use 1024-bit RSA keys and we have not adequately informed them yet perhaps. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible). We are also introducing a mitigation for existing 24.04 systems to not upgrade the policy yet; by creating an apt.conf.d configuration file that temporarily allows the 1024-bit RSA keys if upgraded from apt 2.7.x; with the plan to remove them in 24.04.2. [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. + Test Case A: Existing noble system (warning) - A spot check with a 1024-bit RSA repository and a 4096 RSA repository - would still be nice. + 0. Update an existing noble container to the new APT + 1. Observe/etc/apt/apt.conf.d/00-temporary-rsa1024 being created + 2. Add a PPA with an old 1024-bit signing key + 3. Run apt update + 4. Observe that the PPA is updated with a warning - Check a clean install of apt/an upgrade from mantic vs an existing noble - system: + Test Case B: New noble system (error) - - An existing noble system should create /etc/apt/apt.conf.d/00-temporary-rsa1024 and continue to trust weak RSA signatures with a warning - - Bootstrap a new noble with proposed enabled using e.g. mmdebstrap and check that this is not the case - - Also check upgrading from mantic directly to proposed and ensure that 1024R repositories are rejected. + 0. Bootstrap a new noble system including apt from proposed (using e.g. mmdebstrap) + 1. Observe NO /etc/apt/apt.conf.d/00-temporary-rsa1024 + 2. Add a PPA with an old 1024-bit signing key + 3. Run apt update + 4. Observe that the PPA is not updated, but the other repositories are + + Test Case C: mantic -> noble + + 0. Upgrade mantic to noble w/ apt from proposed, observe behavior as in + B + + Test Case D: jammy -> noble + + 0. Upgrade jammy to noble w/ apt from proposed, observe behavior as in B [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. ** Description changed: (This is uploaded to noble as 2.8.1 per https://wiki.ubuntu.com/AptUpdates) [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. Also existing users may have third-party repositories that use 1024-bit RSA keys and we have not adequately informed them yet perhaps. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audi
[Bug 2073126] Re: More nuanced public key algorithm revocation
This bug was fixed in the package apt - 2.9.7 --- apt (2.9.7) unstable; urgency=medium [ sid ] * Show installed version (not candidate version) while removing a package [ David Kalnischkies ] * Parse snapshot option for apt show/list (Closes: #1075819) [ Frans Spiesschaert ] * Dutch program translation update (Closes: #1075874) * Dutch manpages translation update (Closes: #1075875) [ Michał Kułach ] * Polish program translation update (Closes: #1075975) [ Julian Andres Klode ] * worker: Add an audit level to log audit messages * gpgv: Add a LaterWorthless level, a SoonWorthless but at 'audit' level * gpgv: Add IsAssertedPubKeyAlgo() function * Only revoke weak RSA keys for now, add 'next' and 'future' levels (LP: #2073126) * solver3: Refactor Reason.Pkg()/Reason.Ver() use with iterator * Add note that redundant 'CLI interface' is intentional -- Julian Andres Klode Tue, 30 Jul 2024 13:19:24 +0900 ** Changed in: apt (Ubuntu Oracular) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Tags removed: block-proposed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Tags added: block-proposed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
this upload is not to be accepted to -updates before the discussion on ubuntu-release@ is concluded ** Tags added: block-proposed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
Hello Julian, or anyone else affected, Accepted apt into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.8.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-noble. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: apt (Ubuntu Noble) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Description changed: + (This is uploaded to noble as 2.8.1 per + https://wiki.ubuntu.com/AptUpdates) + [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. Also existing users may have third-party repositories that use 1024-bit RSA keys and we have not adequately informed them yet perhaps. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible). We are also introducing a mitigation for existing 24.04 systems to not upgrade the policy yet; by creating an apt.conf.d configuration file that temporarily allows the 1024-bit RSA keys if upgraded from apt 2.7.x; with the plan to remove them in 24.04.2. [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. A spot check with a 1024-bit RSA repository and a 4096 RSA repository would still be nice. Check a clean install of apt/an upgrade from mantic vs an existing noble system: - An existing noble system should create /etc/apt/apt.conf.d/00-temporary-rsa1024 and continue to trust weak RSA signatures with a warning - Bootstrap a new noble with proposed enabled using e.g. mmdebstrap and check that this is not the case - Also check upgrading from mantic directly to proposed and ensure that 1024R repositories are rejected. [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Description changed: [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. + + Also existing users may have third-party repositories that use 1024-bit + RSA keys and we have not adequately informed them yet perhaps. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little - curves as possible) + curves as possible). + + We are also introducing a mitigation for existing systems to not upgrade + the policy yet; by creating an apt.conf.d configuration file that + temporarily allows the 1024-bit RSA keys with the plan to remove them in + 24.04.2. [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. A spot check with a 1024-bit RSA repository and a 4096 RSA repository would still be nice. + Check a clean install of apt/an upgrade from mantic vs an existing noble + system: + + - An existing noble system should create /etc/apt/apt.conf.d/00-temporary-rsa1024 and continue to trust weak RSA signatures with a warning + - Bootstrap a new noble with proposed enabled using e.g. mmdebstrap and check that this is not the case + - Also check upgrading from mantic directly to proposed and ensure that 1024R repositories are rejected. + [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. ** Description changed: [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. Also existing users may have third-party repositories that use 1024-bit RSA keys and we have not adequately informed them yet perhaps. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible). - We are also introducing a mitigation for existing systems to not upgrade - the policy yet; by creating an apt.conf.d configuration file that - temporarily allows the 1024-bit RSA keys with the plan to remove them in - 24.04.2. + We are also introducing a mitigation for existing 24.04 systems to not + upgrade the policy yet; by creating an apt.conf.d configuration file + that tempor
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Changed in: apt (Ubuntu Oracular) Status: New => Fix Committed ** Tags added: regression-proposed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Description changed: [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to - ">=rsa3072,ed25519,ed448"; + ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible) [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. A spot check with a 1024-bit RSA repository and a 4096 RSA repository would still be nice. [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Description changed: [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. + + We also revoked additional ECC curves, which may still be considered + trusted, so we should not bump them to errors. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: - APT::Key::Assert-Pubkey-Algo + APT::Key::Assert-Pubkey-Algo ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; - - At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. + At the same time we will also introduce a more nuanced approach to + revocations by introducing a 'next' level that issues a warning if the + key is not allowed in it and a 'future' level that will issue an audit + message with the --audit option. For the next level, we will set it to: - ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" + ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to -">=rsa3072,ed25519,ed448"; + ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible) [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. A spot check with a 1024-bit RSA repository and a 4096 RSA repository would still be nice. - [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. ** Description changed: [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. We also revoked additional ECC curves, which may still be considered trusted, so we should not bump them to errors. [Solution] Hence we will restore all elliptic curve keys of 256 or more bit to trusted: - APT::Key::Assert-Pubkey-Algo ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. For the next level, we will set it to: ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" This means we restrict warnings to Brainpool curves and the secp256k1 key, which we have not received any feedback about them being used yet. For the future level, we will take a strong approach to best practices as it is only seen when explictly running with --audit and the intention is to highlight best practices. It will be set to ">=rsa3072,ed25519,ed448"; Which corresponds to the NIST recommendations for 2031 (and as little curves as possible) [Test plan] Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. A spot check with a 1024-bit RSA repository and a 4096 RSA repository would still be nice. [Where problems could occur] There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. There cannot be any false positives: The new levels are only *additional* checks, anything not in the `Assert-Pubkey-Algo` list is still revoked. ** Description changed: [Impact] We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the
[Bug 2073126] Re: More nuanced public key algorithm revocation
** Description changed: - APT 2.9.x and 2.8.0 revoke any of the non-asserted algorithms, we should - modify the mechanism such that only RSA1024 is raised to an error to - avoid unwanted regressions while still keeping the set of fully - supported algorithms small. + [Impact] + We have received feedback from users that use NIST-P256 keys for their repositories that are upset about receiving a warning. APT 2.8.0 in noble-proposed would bump the warning to an error, breaking them. + + [Solution] + Hence we will restore all elliptic curve keys of 256 or more bit to trusted: + + APT::Key::Assert-Pubkey-Algo + ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; + + + At the same time we will also introduce a more nuanced approach to revocations by introducing a 'next' level that issues a warning if the key is not allowed in it and a 'future' level that will issue an audit message with the --audit option. + + For the next level, we will set it to: + + ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512" + + This means we restrict warnings to Brainpool curves and the secp256k1 + key, which we have not received any feedback about them being used yet. + + For the future level, we will take a strong approach to best practices + as it is only seen when explictly running with --audit and the intention + is to highlight best practices. It will be set to + +">=rsa3072,ed25519,ed448"; + + Which corresponds to the NIST recommendations for 2031 (and as little + curves as possible) + + [Test plan] + Tests are included in the library unit tests for parsing the specification strings; we have also included a test for the gpgv method to ensure that it produces the correct outcome for both 'next' and 'future' revoked keys. + + A spot check with a 1024-bit RSA repository and a 4096 RSA repository + would still be nice. + + + [Where problems could occur] + There could of course be bugs in the implementation of the new feature; this could result in verification of files failing. This also happens if you specify an invalid `next` or `future` string. + + There cannot be any false positives: The new levels are only + *additional* checks, anything not in the `Assert-Pubkey-Algo` list is + still revoked. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
