ddebs.ubuntu.com gpg signatures use sha-1

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1558823/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

Hah, apparently they are also signed with a 1024 bit DSA key:

pub 1024D/428D7C01 2008-09-02
      Key fingerprint = 2512 191F EF87 29D6 E5AF 414D ECDC AD72 428D 7C01
uid Ubuntu Debug Symbol Archive Automatic Signing Key <email address hidden>
sub 2048g/A2C2A7A5 2008-09-02

Probably fixing this is a higher priority than the SHA-1 hash in the signature but may be a great time to fix both problems.

Thanks

I committed http://bazaar.launchpad.net/~ubuntu-archive/ddeb-retriever/trunk/revision/162 which adds "--personal-digest-preferences SHA512,SHA256,SHA1" to the gpg call. This produces SHA512 digests.

I also created a new GPG key with 4096 bits. The new key is on http://ddebs.ubuntu.com/dbgsym-release-key.asc and also uploaded to keyserver.ubuntu.com, signed by me.

I will now regenerate all indexes, this takes a while.

All indexes are now updated.

Thanks Pitti!

I've marked arges's bug a duplicate of this one. Is it really?

I don't think 1561033 is a duplicate; the new key and signatures are
working on ddebs, which was my primary goal with this bug report, and
arges's bug includes error messages I've never seen before:

   Writing more data than expected (3453598 > 3453008)

I couldn't reproduce his bug on 14.04 LTS but I kept getting hash-sum
mismatches:

W: Failed to fetch http://ddebs.ubuntu.com/dists/trusty/main/binary-amd64/Packages Hash Sum mismatch

W: Failed to fetch http://ddebs.ubuntu.com/dists/trusty/universe/binary-amd64/Packages Hash Sum mismatch

W: Failed to fetch http://ddebs.ubuntu.com/dists/trusty/multiverse/binary-amd64/Packages Hash Sum mismatch

W: Failed to fetch http://ddebs.ubuntu.com/dists/trusty/main/binary-i386/Packages Hash Sum mismatch

W: Failed to fetch http://ddebs.ubuntu.com/dists/trusty/universe/binary-i386/Packages Hash Sum mismatch

W: Failed to fetch http://ddebs.ubuntu.com/dists/trusty/multiverse/binary-i386/Packages Hash Sum mismatch

I wonder if my hashes don't match because they aren't the expected
lengths...

Anyway I think un-dup is the right approach.

This is now partially open again. Re-generating all the indexes triggered a bug in ddeb-retriever that wiped out most ddebs for releases older than xenial.

We now got that restored from backup, but right now some of the indexes for stables (which didn't get any package update since March 21) now again use the old key and digest algorithm.

All indexes regenerated again with new key, this time without killing the archive.

Hi Martin,

Are you sure that the new 4096-bit key is on ddebs.ubuntu.com? Both dbgsym-release-key.asc and dbgsym-release-key.asc.old are currently the same size, and dated 2008 September.

(Could you also post the key and fingerprint here, since the ddebs site is not HTTPS?)

Right, sorry about that. It's updated now.

> (Could you also post the key and fingerprint here, since the ddebs site
> is not HTTPS?)

pub 4096R/5FDFF622 2016-03-21 [expires: 2021-03-20]
      Key fingerprint = F2ED C64D C5AE E1F6 B9C6 21F0 C8CA B659 5FDF F622
uid Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>