Allow users to re-generate a PPA signing key

As mentioned in bug #1461834, once this is possible it should be mandatory with a very short sunset period. There is executable code signed by these vulnerable keys.

It's now more important than ever to get an option to regenerate the PPA signing key and get a stronger key because in Xenial, users are flooded with this:

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_atareao_atareao_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key A3D8A366869FE2DC5FFD79C36A9653F936FD5529 (weak digest)

That's actually a different issue that is tracked (and mostly fixed now) in #1556666.

I missed that one, thank you!

Any update on this? There are a lot of people who use PPAs and this is very much not ideal for the security of the Ubuntu community. This is doubly true given that all of the not-so-secure keys have been out there for quite a long time.

What is involved in implementing this functionality?

I think the first step is working out the database, webapp model, and archive publisher changes needed to have archives signed with more than one key. Once that's in place, we'd need some webservice and/or web UI methods to manage the set of keys in use.

There's probably no way around the fact that any key transition is going to be rough for some clients, though it might be worth somebody looking at whether anything can be done client-side: for example, given that software-properties knows how to add the key used to sign a PPA at the moment on the basis of knowing how to communicate securely with Launchpad, something in that area could potentially help out with key transitions in a similar way.

Since this isn't a trivial task, maybe it would be easier to autocreate and use a new key only for new series?

I.e. I'd have a 1024 key for focal, but when I'd first add packages for groovy in my PPA, they'd be signed with a 4096 key... at least that way, eventually in the future, I'd only need the 4096 key.

Also, is it somehow possible for a user to delete all his PPAs, and get a 4096 key?
I tried it but I still got the old 1024 one...

If it can be done on request, please delete ppa:alkisg and generate a new key for me, thank you!

I think one can create a team, add oneself to the team, and add ppa's on the team.

New team should have new key.

(meh launchpad doesn't auto-subscribe when commenting on bugs so I got no notifications :/)

> New team should have new key.

But a new URL for the PPA too, while the goal is to use the same old URL...

I'm trying to update the signing key of this team: https://launchpad.net/~ts.sch.gr

I want to keep the same name/URL. If possible, I would also want to keep the PPAs and only update the signing key, but I don't see any progress on this issue...

So I'm thinking of performing the following actions as a workaround, which raise some questions:

1. Can I rename the ts.sch.gr team into e.g. ts-sch-gr?
2. Will the old PPAs still be usable under the new ts-sch-gr URL?
3. Can I then then create a new team with the old name, ts.sch.gr, or will it tell me "name already exists"?
4. If "yes to all of the above", I guess then the new team will have an rsa4096 key, and I'll be able to add new PPAs there, right?

The heat for this bug seems to be serious off. It is not even getting the base 250 a security issue should get. I added the vulnerability tag to it in attempt to paint it in the light it should be portrayed. Fundamentally this is a vulnerability as it erodes the trust in long term PPA on Launchpad. Without this feature long term users are not choosing security over losing all the karma and other benefits of having an long term account. It is very puzzling to fix this for new users but ignore the base users. Please give this attention ASAP.

Canonical is supposedly working on migrating 1024-bit repositories to 4096-bit keys... because the tooling literally does not even work with them anymore.

https://bugs.launchpad.net/launchpad/+bug/2053281#:~:text=this%20is%20a%20known%20issue%20and%20we%20are%20working%20on%20rotating%20the%20keys%20of%20the%20affected%20PPAs%20with%201024%2Dbit%20RSA%20keys%20to%204096%2Dbit%20RSA%20keys.

Still no allowing users to change their keys.

https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854

Hah!

> No action is needed (or possible) from PPA owners

This is so wrong. I need to include the new key in my keyring package for my PPA, then ideally have a time in which both keys are used to sign the repo to allow for rollover and for users to obtain the new key, for which I need the new key ahead of time.

I didn’t even get any communication about this except by asking on d-devel replying to the announcement, where I was just told “Canonical is handling it according to” (the same URL).

Which… may have rather low values of “handling” if this is all still unclear…

roughly a month later and nothing has happened yet… this has the potential to break PPAs quickly

It just broke some for me when I upgraded to the Noble beta, and they weren't insignificant, either.

* https://launchpad.net/~ubuntu-toolchain-r
and
* https://launchpad.net/~git-core

What's the current recommendation for handling this? Is there an APT config key to force acceptance of these pitifully old keys until someone rolls out a fix?

@roguescholar, is it showing this?

| W: http://ppa.launchpad.net/${USER/TEAM}/${PPA_NAME}/ubuntu/dists/noble/InRelease: Signature by key ${KEY} uses weak algorithm (rsa1024)

If so, I think these are warnings at the moment.