Launchpad itself

How do I refresh a PPA key? (GPG error: untrusted public key algorithm: rsa1024)

Asked by Michał Sawicz

Getting this on noble:

W: GPG error: http://ppa.launchpad.net/mir-team/dev/ubuntu noble InRelease: The following signatures were invalid: A6FD1150ABA584EDDEB6514CAC619B6A5725D346 (untrusted public key algorithm: rsa1024)

How do I refresh the PPA key to something more modern?

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Guruprasad
Solved:
Last query:
Last reply:
Revision history for this message
Best Guruprasad (lgp171188) said (last edit ): 		#1

Hi Michal, we are currently in the process of migrating PPAs that have a 1024-bit RSA signing key to a 4096-bit RSA signing key. As a part of that, we have already generated a new 4096-bit RSA signing key for all the affected archives including the one that you have mentioned. Launchpad has already been updated to dual-sign such archives when they have more than 1 signing key (you can see an example of this in http://ppa.launchpadcontent.net/juliank/ppa/ubuntu/dists/oracular/InRelease).

Since `apt` will upgrade this warning to an error in a future update, we are working on incrementally republishing all these archives to deal with this issue. But if you want to get rid of this warning right away, you can publish something to this PPA and/or mark all the relevant suites dirty so that it gets republished soon. The new key is currently not exposed in Launchpad (we can only do that after dual-signing all affected archives) and so you will have to manually import the corresponding public key from the keyserver.

Please let me know if you have any questions.

Revision history for this message
Dave Bar (cryptosid) said : 		#2

Hi Guruprasad, I've been able to fix "https://ppa.launchpadcontent.net/ondrej/php/ubuntu" since the second key was present so I added it with apt-key.

However for "https://ppa.launchpadcontent.net/ondrej/nginx-mainline/ubuntu", there's only 1 key and it's not working with apt 2.9.3.

I don't want to put pressure but I'm just curious about the state of the process, when can we hope to have the second key added to all PPAs?

Revision history for this message
Guruprasad (lgp171188) said : 		#3

Hi Dave,

> However for "https://ppa.launchpadcontent.net/ondrej/nginx-mainline/ubuntu", there's only 1 key and it's not working with apt 2.9.3.

We are working towards republishing all the PPAs for which a new 4096-bit RSA signing key has been created and that would dual-sign them. But if you can't wait till that happens, it is possible for the PPA owner to mark the whole PPA or at least the 'noble' suite dirty for the PPA to get republished and dual-signed.

Revision history for this message
Michał Sawicz (saviq) said : 		#4

Thanks Guruprasad, that solved my question.