Ubuntu
apt package

apt-key net-update should use trusted.gpg.d/

Bug #1624378 reported by Dimitri John Ledkov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

apt-key net-update for the new world order

/etc/apt/trusted.gpg is not longer preffered location for key updates.

Instead, individual opengpg packets of exported public keys should be placed in /etc/apt/trusted.gpg.d

Debian has already migrated to placing the keys there.

To comply with /etc/apt/trusted.gpg.d structure, instead of updating the keys in the /etc/apt/trusted.gpg, imho apt-key net-update should download and place a /etc/apt/trusted.gpg.d/ubuntu-archive-netupdate.gpg key.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

$ curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg.sigs 2>/dev/null | gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-master-keyring.gpg --output /etc/apt/trusted.gpg.d/ubuntu-archive-netupdate.gpg --decrypt

Revision history for this message
Julian Andres Klode (juliank) wrote :

I think we reached somewhat of an agreement that net-update is a bad idea and should not be done. It also depends on gnupg.

We should eventually consider developing something else, but I'm not sure how that would look like. Currently, there is no way to revoke keys except through packages, basically, which is a security issue. We need to provide signed keyfiles on different locations that apt can download so an attacker cannot use a broken key and MITM exisiting repositories forever.

Changed in apt (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.