Ubuntu
ubuntu-keyring package

Should ubuntu-keyring include the debug archive key?

Bug #643623 reported by Dave Martin
36
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ubuntu-keyring (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: ubuntu-keyring

Currently there doesn't seem to be a good way for developers who haven't been to many keysignings to establish trust in the Ubuntu Debug Symbol Archive Automatic Signing Key (428D7C01)

SIgning this key with with Ubuntu Archive Automatic Signing Key (or equivalent) and/or including the Ubuntu Debug Symbol Archive Automatic Signing Key in ubuntu-keyring could help to solve this problem.

Revision history for this message
Martin Zuther (mzuther) wrote :

I find this is a very clever idea.

+1 from me!

(While we're at it, signing the "Debian Archive Automatic Signing Key (5.0/lenny)" (55BE302B) wouldn't hurt as well, but I'm getting carried away... <g>)

Revision history for this message
Rebecca Palmer (rebecca-palmer) wrote :

This has since got worse: one of the signatures is with a key that used to be in the debian-keyring package, but that key (5E0577F2) has now been revoked.

If it is not desired to have this key installed by default, please create an ubuntu-debug-keyring package (and perhaps have installing it add the sources.list line, though I don't know if policy allows that).

Changed in ubuntu-keyring (Ubuntu):
status: New → Confirmed
Revision history for this message
Esokrates (esokrarkose) wrote :

This really needs to be resolved, I subscribed Michael Vogt, the original maintainer of this package, maybe he has an idea.

Revision history for this message
apport hater (g112) wrote :

So I really cannot establish trust to the Debug Archive signing key? Man.....

Revision history for this message
Daniel Richard G. (skunk) wrote :

I agree on this key needing to be available in the/an official Ubuntu keyring package.

For now, because the original key file is not even accessible via HTTPS, I am attaching a copy of it here. The file is dated 2016-07-04 16:10, and has the following SHA{256,512} hashes:

4a54623d5ec01d098441a42413d5d176c3292113aed9d274ac18ddaec50b76ce dbgsym-release-key.asc
728caec72fa2062f6d931a2c231433ee7dd0181d10d59ac6ec2afe90abc4cf17e3c9a7a4e82430ffdbd850eb68557bd33c1882e7de1dd93bc9b8dbbc61119f82 dbgsym-release-key.asc

Original location: http://ddebs.ubuntu.com/dbgsym-release-key.asc

If anyone sees a difference with the original, please speak up.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@skunk please remove your comment.

All key fingerprints are accessible via https from https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu

Revision history for this message
Daniel Richard G. (skunk) wrote :

Thank you Dimitry, that is a helpful link.

I've removed the key-file attachment from comment #5, but am unable to otherwise edit/remove the text.

Revision history for this message
Unit 193 (unit193) wrote :

This bug was fixed with the following upload, and the package ubuntu-dbgsym-keyring can now be installed.

ubuntu-keyring (2018.02.05) bionic; urgency=medium

  * Ship the current ubuntu-cloudimage-keyring in the ubuntu-keyring
    package. LP: #1331057
  * Ship ubuntu-cloud-keyring for Cloud Archive signing keys, as a
    separate keyring in /etc/apt/trusted.gpg.d/, and remove it from the
    trusted.gpg keyring as no longer needed to be there.
  * Ship ubuntu-dgbsym key
  * Specify udeb Package-Type and bump priority to standard.
  * Bump standards version

 -- Dimitri John Ledkov <email address hidden> Wed, 17 Jan 2018 16:01:45 +0000

Changed in ubuntu-keyring (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.