I don't think this bug is fixed. it looks to me like the keyserver operator (or anyone who can MITM the keyserver) can still inject arbitrary keys here.
/usr/share/pyshared/softwareproperties/ppa.py appears to run "apt-key adv --keyserver $whatever --recv $fingerprint" and "apt-key adv" is just shelling out to gpg. if your keyserver happens to return the wrong thing (whether by malice or by accident), it will still just get imported. If you'd like to try, consider using the (absurdly low-fi) fake "keyserver" hkp://dkg.fifthhorseman.net:80/, which will always return my key, regardless of what keyid (or fingerprint) you request from it. add-apt-repository --keyserver hkp://dkg.fifthhorseman.net:80/ ppa :kernel-ppa/ppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1016643 Title: add-apt-repository downloads gpg key in an insecure fashion To manage notifications about this bug go to: https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
