Public bug reported:

[Impact]

 * Xenial systems will not be able to debootstrap Groovy archives when
it finally switches to be signed by single 2018 key. To have support for
xenial to operate against Groovy+ archives it needs access to 2018
archive key. Ship it.

[Test Case]

 * Start xenial chroot or lxd container.
 * Observe that 4 keys are trusted - the original 2004 archive & cdimage, 2012 
archive & cdimage

# apt-key list --fingerprint
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
      Key fingerprint = 6302 39CC 130E 1A7F D81A  27B1 4097 6EAF 437D 05B5
uid                  Ubuntu Archive Automatic Signing Key <ftpmas...@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   4096R/C0B21F32 2012-05-11
      Key fingerprint = 790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
uid                  Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
      Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid                  Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

pub   1024D/FBB75451 2004-12-30
      Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
uid                  Ubuntu CD Image Automatic Signing Key <cdim...@ubuntu.com>

  * Install the new ubuntu-keyring package
  * Observe that 5 keys are now trusted, including the 2018 archive key

# apt-key list --fingerprint
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
      Key fingerprint = 6302 39CC 130E 1A7F D81A  27B1 4097 6EAF 437D 05B5
uid                  Ubuntu Archive Automatic Signing Key <ftpmas...@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   4096R/C0B21F32 2012-05-11
      Key fingerprint = 790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
uid                  Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
      Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid                  Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

pub   1024D/FBB75451 2004-12-30
      Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
uid                  Ubuntu CD Image Automatic Signing Key <cdim...@ubuntu.com>

pub   4096R/991BC93C 2018-09-17
      Key fingerprint = F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid                  Ubuntu Archive Automatic Signing Key (2018) 
<ftpmas...@ubuntu.com>

  * Dist upgrade to bionic
  * Observe that only 3 keys are trusted the 2012 cdimage&archive + 2018 key, 
and that none of them are in /etc/apt/trusted.gpg but are key snippets in 
/etc/apt/trusted.gpg.d/

# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) 
<ftpmas...@ubuntu.com>


[Regression Potential] 

 * Adding additional new trust key can trigger support request (aka why
are you adding this key on xenial). The reason to add this key on
xenial, is for xenial to allow securely debootstrap and operate on
Groovy+ repositories which are about to drop 2012 key signatures.

[Other Info]
 
 * Bionic switched from shipping keys in /etc/apt/trusted.gpg keyring, to 
individual snippets. Thus xenial's upload that adds the future key to 
/etc/apt/trusted.gpg should also remove it, during upgrade to bionic. To ensure 
that the systems upgraded from xenial to bionic, look the same as those that 
are fresh bionic installations.

** Affects: ubuntu-keyring (Ubuntu)
     Importance: Undecided
         Status: Invalid

** Affects: ubuntu-keyring (Ubuntu Xenial)
     Importance: Undecided
         Status: Triaged

** Also affects: ubuntu-keyring (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: ubuntu-keyring (Ubuntu)
       Status: New => Invalid

** Changed in: ubuntu-keyring (Ubuntu Xenial)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1881278

Title:
  Ship 2018 Archive key in xenial's ubuntu-keyring

Status in ubuntu-keyring package in Ubuntu:
  Invalid
Status in ubuntu-keyring source package in Xenial:
  Triaged

Bug description:
  [Impact]

   * Xenial systems will not be able to debootstrap Groovy archives when
  it finally switches to be signed by single 2018 key. To have support
  for xenial to operate against Groovy+ archives it needs access to 2018
  archive key. Ship it.

  [Test Case]

   * Start xenial chroot or lxd container.
   * Observe that 4 keys are trusted - the original 2004 archive & cdimage, 
2012 archive & cdimage

  # apt-key list --fingerprint
  /etc/apt/trusted.gpg
  --------------------
  pub   1024D/437D05B5 2004-09-12
        Key fingerprint = 6302 39CC 130E 1A7F D81A  27B1 4097 6EAF 437D 05B5
  uid                  Ubuntu Archive Automatic Signing Key 
<ftpmas...@ubuntu.com>
  sub   2048g/79164387 2004-09-12

  pub   4096R/C0B21F32 2012-05-11
        Key fingerprint = 790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
  uid                  Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

  pub   4096R/EFE21092 2012-05-11
        Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
  uid                  Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

  pub   1024D/FBB75451 2004-12-30
        Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
  uid                  Ubuntu CD Image Automatic Signing Key 
<cdim...@ubuntu.com>

    * Install the new ubuntu-keyring package
    * Observe that 5 keys are now trusted, including the 2018 archive key

  # apt-key list --fingerprint
  /etc/apt/trusted.gpg
  --------------------
  pub   1024D/437D05B5 2004-09-12
        Key fingerprint = 6302 39CC 130E 1A7F D81A  27B1 4097 6EAF 437D 05B5
  uid                  Ubuntu Archive Automatic Signing Key 
<ftpmas...@ubuntu.com>
  sub   2048g/79164387 2004-09-12

  pub   4096R/C0B21F32 2012-05-11
        Key fingerprint = 790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
  uid                  Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

  pub   4096R/EFE21092 2012-05-11
        Key fingerprint = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
  uid                  Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

  pub   1024D/FBB75451 2004-12-30
        Key fingerprint = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
  uid                  Ubuntu CD Image Automatic Signing Key 
<cdim...@ubuntu.com>

  pub   4096R/991BC93C 2018-09-17
        Key fingerprint = F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
  uid                  Ubuntu Archive Automatic Signing Key (2018) 
<ftpmas...@ubuntu.com>

    * Dist upgrade to bionic
    * Observe that only 3 keys are trusted the 2012 cdimage&archive + 2018 key, 
and that none of them are in /etc/apt/trusted.gpg but are key snippets in 
/etc/apt/trusted.gpg.d/

  # apt-key list
  /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
  ------------------------------------------------------
  pub   rsa4096 2012-05-11 [SC]
        790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
  uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) 
<ftpmas...@ubuntu.com>

  /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
  ------------------------------------------------------
  pub   rsa4096 2012-05-11 [SC]
        8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
  uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) 
<cdim...@ubuntu.com>

  /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  ------------------------------------------------------
  pub   rsa4096 2018-09-17 [SC]
        F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
  uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) 
<ftpmas...@ubuntu.com>

  
  [Regression Potential] 

   * Adding additional new trust key can trigger support request (aka
  why are you adding this key on xenial). The reason to add this key on
  xenial, is for xenial to allow securely debootstrap and operate on
  Groovy+ repositories which are about to drop 2012 key signatures.

  [Other Info]
   
   * Bionic switched from shipping keys in /etc/apt/trusted.gpg keyring, to 
individual snippets. Thus xenial's upload that adds the future key to 
/etc/apt/trusted.gpg should also remove it, during upgrade to bionic. To ensure 
that the systems upgraded from xenial to bionic, look the same as those that 
are fresh bionic installations.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1881278/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to