The update inadvertently disabled DSA signatures. We believed DSA signatures (1) could not use SHA2 hashes and (2) were not trusted anyway, but it seems that xenial, which is dual-signed with a DSA1024 bit key has a SHA512 DSA1024 signature and that is still considered trusted.
This is causing the update-manager test suite to fail, which we missed in oracular because the release pocket regressed at some point earlier, so we never noticed it regressed when the apt changes landed there. We can add >=dsa1024 back to the list of warning-only algorithms or proceed with the update as is (and fix update-manager's test suite to use the rsa key to verify xenial) which would be better from the security posture stance. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
