I believe there is a misunderstanding of the issue: 1. Yes, said archive is dual signed by two keys, one of them is 1024 rsa. 2. apt-add-repository for me added the strong 4096 rsa key in the sources.list.d file. It can be checked by just copying the key block out and feeding it into gpg, it shows it's a public key F911AB184317630C59970973E363C90F8F1B6217 rsa4096. 3. APT, when checking the InRelease file, trusts it (and it could only become trusted with the strong key signature, the only it knows), but also sees a second signature with a week algorithm. Emits a warning.
So, I only see a false warning for the user: the system is safe using the stronger key, and the legacy signature raises a warning that shouldn't be used anyway. But older systems that don't use 4096 rsa keys yet would see two signatures, one of them they trust (even if it's weak, HERE the warning if not rejection would be appropriate) and also another one that they don't trust since they don't know of it yet (that may raise a message that while the signature we trust is weak there seem to be a better one, go check the source). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
