[feature request] make full ppa signing public key available over https

Bug #1667725 reported by Scott Moser on 2017-02-24
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Colin Watson
software-properties (Ubuntu)
Medium
Unassigned

Bug Description

Currently, for a ppa, launchpad makes the long key fingerprint available over https. I'd like to request that it also make the full public key available over https.

Many people use add-apt-repository extensively for using ppas ('add-apt-repository -y smoser/archive')

As I understand it, that basically does:
 a. request the 'archive urls', 'description' and long key fingerprint over https from launchpad.net
 b. does gpg --recv <long-key-fingerprint> from hkp://keyserver.ubuntu.com:80/ (or the --keyserver argument)
 c. adds the result of 'b' to apt using 'apt-key'

Since launchpad is the owner of the signing key for the ppa, why not have it just give us the full public key over the same api that it provides the other bits of information?

My experience is that gpg servers are less reliable than we'd like, and even if they were as reliable as launchpad, any use of a ppa now effectively depends on 2 external systems when 1 could suffice.

Related branches

Scott Moser (smoser) on 2017-02-24
description: updated
Colin Watson (cjwatson) wrote :

Launchpad itself doesn't hold the full key material other than in caches - it relies on being able to fetch key material from the keyservers itself - so this would probably just move unreliability around.

tags: added: cpe-onsite
Colin Watson (cjwatson) on 2018-07-22
Changed in launchpad:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Colin Watson (cjwatson)
tags: added: api feature lp-registry
Colin Watson (cjwatson) wrote :

Even though it won't be possible to make the API in question reliable in the short term, I'm persuaded that this is worth doing for a couple of reasons:

 * it will allow reducing the necessary egress firewall configuration for systems on locked-down networks to use add-apt-repository
 * it will help us to transition to updating keyservers on a best-effort basis, and keeping key material in the Launchpad database (we haven't committed to doing this, but given recent keyserver troubles it may be worth it)

Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Scott Moser (smoser) wrote :

I put up a MP for software-properties to make add-apt-repository to use this
 https://code.launchpad.net/~smoser/software-properties/trunk.lp1667725-https-signing-key/+merge/351824

Will there be update to this bug when this goes life on production?

William Grant (wgrant) on 2018-08-01
tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant) on 2018-08-01
Changed in launchpad:
status: Fix Committed → Fix Released
Scott Moser (smoser) on 2018-08-01
Changed in software-properties (Ubuntu):
status: New → In Progress
Scott Moser (smoser) on 2018-08-03
Changed in software-properties (Ubuntu):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package software-properties - 0.96.27

---------------
software-properties (0.96.27) cosmic; urgency=medium

  * Fix tests (including dep8) when running on non-intel (LP: #1785683).

 -- Scott Moser <email address hidden> Mon, 06 Aug 2018 14:33:31 -0400

Changed in software-properties (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers