Allow users to re-generate a PPA signing key

Bug #1331914 reported by Unit 193
98
This bug affects 16 people
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Unassigned

Bug Description

Howdy,

It'd be great if a user could re-generate their PPA's GPG key, mainly in follow up to Bug #1240681.

Problems with this include users trying to load down the machines and/or pointlessly depleting the random pool, and more minor issues of having to re-add the key to apt's trusted gpg keyring.

William Grant (wgrant)
Changed in launchpad:
importance: Undecided → High
status: New → Triaged
tags: added: gpg ppa security
tags: added: soyuz-publish
Revision history for this message
deutrino (deutrino) wrote :

As mentioned in bug #1461834, once this is possible it should be mandatory with a very short sunset period. There is executable code signed by these vulnerable keys.

Revision history for this message
Alin Andrei (nilarimogard) wrote :

It's now more important than ever to get an option to regenerate the PPA signing key and get a stronger key because in Xenial, users are flooded with this:

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_atareao_atareao_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key A3D8A366869FE2DC5FFD79C36A9653F936FD5529 (weak digest)

Revision history for this message
Unit 193 (unit193) wrote :

That's actually a different issue that is tracked (and mostly fixed now) in #1556666.

Revision history for this message
Alin Andrei (nilarimogard) wrote :

I missed that one, thank you!

Revision history for this message
Matt Corallo (bluematt) wrote :

Any update on this? There are a lot of people who use PPAs and this is very much not ideal for the security of the Ubuntu community. This is doubly true given that all of the not-so-secure keys have been out there for quite a long time.

Revision history for this message
Andy Brody (abrody) wrote :

What is involved in implementing this functionality?

Revision history for this message
Colin Watson (cjwatson) wrote :

I think the first step is working out the database, webapp model, and archive publisher changes needed to have archives signed with more than one key. Once that's in place, we'd need some webservice and/or web UI methods to manage the set of keys in use.

There's probably no way around the fact that any key transition is going to be rough for some clients, though it might be worth somebody looking at whether anything can be done client-side: for example, given that software-properties knows how to add the key used to sign a PPA at the moment on the basis of knowing how to communicate securely with Launchpad, something in that area could potentially help out with key transitions in a similar way.

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

Since this isn't a trivial task, maybe it would be easier to autocreate and use a new key only for new series?

I.e. I'd have a 1024 key for focal, but when I'd first add packages for groovy in my PPA, they'd be signed with a 4096 key... at least that way, eventually in the future, I'd only need the 4096 key.

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

Also, is it somehow possible for a user to delete all his PPAs, and get a 4096 key?
I tried it but I still got the old 1024 one...

If it can be done on request, please delete ppa:alkisg and generate a new key for me, thank you!

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I think one can create a team, add oneself to the team, and add ppa's on the team.

New team should have new key.

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

(meh launchpad doesn't auto-subscribe when commenting on bugs so I got no notifications :/)

> New team should have new key.

But a new URL for the PPA too, while the goal is to use the same old URL...

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

I'm trying to update the signing key of this team: https://launchpad.net/~ts.sch.gr

I want to keep the same name/URL. If possible, I would also want to keep the PPAs and only update the signing key, but I don't see any progress on this issue...

So I'm thinking of performing the following actions as a workaround, which raise some questions:

1. Can I rename the ts.sch.gr team into e.g. ts-sch-gr?
2. Will the old PPAs still be usable under the new ts-sch-gr URL?
3. Can I then then create a new team with the old name, ts.sch.gr, or will it tell me "name already exists"?
4. If "yes to all of the above", I guess then the new team will have an rsa4096 key, and I'll be able to add new PPAs there, right?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions