Make retired Ubuntu keyrings available from the archive
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ubuntu-keyring (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Currently, if an Ubuntu developer (or their code) is attempting to interact with the precise archive (which is still supported in some form via ESM) from a machine running bionic or later, they will run in to issues verifying signatures, because the keys used to sign the precise archive are no longer included in the default keyring as of bionic.
(Some form of this problem will present every time an archive key rotation happens; eventually the old key will no longer be trusted, and similar failures to the ones today will occur.)
Whilst the old keys should never be used by the system's apt (or other installed software), it would be good if there were some way to install those keys from the archives for projects which knowingly want to use the older signatures. (The old keys should be in a path that isn't currently used by anything, so that they have to be explicitly used.)
(This bug came out of a discussion on https:/
| description: | updated |
| Scott Moser (smoser) wrote | #1 |
| Dimitri John Ledkov (xnox) wrote | #2 |
| Changed in ubuntu-keyring (Ubuntu): | |
| status: | New → Invalid |
The easiest thing to do would be to just ship a keyring that had the
obsolete public signing keys. Then the consumer could hard code
that 'precise' was signed with keys A, B, C. and work stuff out like
that.
Alternatively possibly we might want to deliver some distro-info like
data.
ubuntu-release|
fingerprint | status | used-releases
790BC7277767219
F6ECB3762474EDA
Then the consumer expecting to verify 'precise' data could determine they should use the 790B key.