Launchpad itself

Signing key not appearing on my PPA page

Bug #1920266 reported by Adrianna Pińska
48
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Launchpad itself
In Progress
High
Colin Watson

Bug Description

As requested, I am converting this question to a bug report, since it seems to be a bug. Original question:

I have previously noticed that some PPAs publish a signing key and fingerprint in the "technical details" dropdown, but some do not, and I don't understand what determines this. My PPA (https://launchpad.net/~cartavis-team/+archive/ubuntu/carta) does not display this information. I know that the key exists, because I have built packages in the PPA, and I had to import the key into my pbuilder chroot when setting up dependencies. Does it just take time for the key to be published on the page, or is there something that I need to do to make it appear?

Related branches

~cjwatson/launchpad:signing-key-ui
Launchpad code reviewers: Pending requested
Diff: 398 lines (+189/-11)
9 files modified
lib/lp/archivepublisher/archivegpgsigningkey.py (+2/-0)
lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py (+24/-0)
lib/lp/soyuz/browser/tests/test_personal_archive_subscription.py (+69/-2)
lib/lp/soyuz/configure.zcml (+2/-0)
lib/lp/soyuz/interfaces/archive.py (+6/-0)
lib/lp/soyuz/model/archive.py (+37/-0)
lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.rst (+42/-0)
lib/lp/soyuz/templates/archive-index.pt (+4/-5)
lib/lp/soyuz/templates/person-archive-subscription.pt (+3/-4)
Revision history for this message
Colin Watson (cjwatson) wrote :

I have the beginnings of a fix for this, but need to spend some more time writing tests.

tags: added: confusing-ui lp-soyuz ppa
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
status: New → In Progress
tags: added: fallout
Revision history for this message
SOURAV DAS (pipewire-debian) wrote :

same here for https://launchpad.net/~pipewire-debian/+archive/ubuntu/pipewire-upstream this.

Revision history for this message
Ethan Trevor (elaunch) wrote :

I have the same problem on https://launchpad.net/~elaunch/+archive/ubuntu/ppa . In the "Technical details about this PPA" I cannot see any signing key, although the packages are signed. How can I set up a ppa repository with the trusted key on a debian system manually?

Revision history for this message
Ethan Trevor (elaunch) wrote :

Is there any other documented API to get the PPA signing key?

Revision history for this message
Adrianna Pińska (confluence) wrote :

My repository is still having this issue.

Ethan, you could use `add-apt-repository` to add the PPA on an Ubuntu system (e.g. in a container) and then use `sudo apt-key list` to look at all the installed keys and find the fingerprint of the key for that PPA (matching it using the description and possibly also the filename -- I believe that `add-apt-repository` saves keys to individual files in `/etc/apt/trusted.gpg.d/`).

You can apparently also install `add-apt-repository` on Debian, which would be simpler (it's in the `python-software-properties` package).

Revision history for this message
Ethan Trevor (elaunch) wrote :

Hello Adrianna,
thank you for your reply! You are right, `sudo apt-key list` shows the PPA key on an Ubuntu system.

I am trying to use the PPA on a Raspberry Pi (which has a Debian-based OS).
I could get the `add-apt-repository` command by installing the `software-properties-common` package. Unfortunately, `sudo add-apt-repository ppa:elaunch/ppa` still adds only the APT source, but not the key. `sudo apt update` prints the error `NO_PUBKEY D80E587E7E12369C`.

So, as a workaround, I note down the key ID from the error message and use the following script to install the PPA key and source:
```
curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xD80E587E7E12369C' | gpg --dearmor | sudo tee /usr/share/keyrings/elaunch-ppa-focal.gpg > /dev/null
echo 'deb [signed-by=/usr/share/keyrings/elaunch-ppa-focal.gpg] https://ppa.launchpadcontent.net/elaunch/ppa/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/elaunch-ppa-focal.list > /dev/null
```

I think also for security there should be a way to check the correct key ID in the Launchpad web interface to prevent MITM attacks.

Launchpad developers, can you please show the PPA key in the web interface?

Revision history for this message
Adrianna Pińska (confluence) wrote :

This issue is still affecting my PPA. Is there any more information about a fix?

Revision history for this message
MattRose (mattrose) wrote :

This issue also affects my PPA https://launchpad.net/~mattrose/+archive/ubuntu/terminator. With the recent changes to apt-key add and the way that debian is dealing with gpg package keys this is becoming more and more important.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.