[feature request] make full ppa signing public key available over https

Bug #1667725 reported by Scott Moser
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Colin Watson
software-properties (Ubuntu)
Fix Released

Bug Description

Currently, for a ppa, launchpad makes the long key fingerprint available over https. I'd like to request that it also make the full public key available over https.

Many people use add-apt-repository extensively for using ppas ('add-apt-repository -y smoser/archive')

As I understand it, that basically does:
 a. request the 'archive urls', 'description' and long key fingerprint over https from launchpad.net
 b. does gpg --recv <long-key-fingerprint> from hkp://keyserver.ubuntu.com:80/ (or the --keyserver argument)
 c. adds the result of 'b' to apt using 'apt-key'

Since launchpad is the owner of the signing key for the ppa, why not have it just give us the full public key over the same api that it provides the other bits of information?

My experience is that gpg servers are less reliable than we'd like, and even if they were as reliable as launchpad, any use of a ppa now effectively depends on 2 external systems when 1 could suffice.

Related branches

Scott Moser (smoser)
description: updated
Revision history for this message
Colin Watson (cjwatson) wrote :

Launchpad itself doesn't hold the full key material other than in caches - it relies on being able to fetch key material from the keyservers itself - so this would probably just move unreliability around.

tags: added: cpe-onsite
Colin Watson (cjwatson)
Changed in launchpad:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Colin Watson (cjwatson)
tags: added: api feature lp-registry
Revision history for this message
Colin Watson (cjwatson) wrote :

Even though it won't be possible to make the API in question reliable in the short term, I'm persuaded that this is worth doing for a couple of reasons:

 * it will allow reducing the necessary egress firewall configuration for systems on locked-down networks to use add-apt-repository
 * it will help us to transition to updating keyservers on a best-effort basis, and keeping key material in the Launchpad database (we haven't committed to doing this, but given recent keyserver troubles it may be worth it)

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Scott Moser (smoser) wrote :

I put up a MP for software-properties to make add-apt-repository to use this

Will there be update to this bug when this goes life on production?

William Grant (wgrant)
tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
Scott Moser (smoser)
Changed in software-properties (Ubuntu):
status: New → In Progress
Scott Moser (smoser)
Changed in software-properties (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package software-properties - 0.96.27

software-properties (0.96.27) cosmic; urgency=medium

  * Fix tests (including dep8) when running on non-intel (LP: #1785683).

 -- Scott Moser <email address hidden> Mon, 06 Aug 2018 14:33:31 -0400

Changed in software-properties (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.