| 2024-05-21 18:39:17 |
Charlie Wong |
description |
After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04, ‘apt update’ gives this warning:
W: https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease: Signature by key E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (rsa1024)
But this PPA is dual-signed by two keys, only one of which is weak. add-apt-repository has chosen to install the rsa1024 key in sources.list.d. It should choose the rsa4096 key instead.
$ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpg
…
gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
gpg: using RSA key F911AB184317630C59970973E363C90F8F1B6217
gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F911 AB18 4317 630C 5997 0973 E363 C90F 8F1B 6217
gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
gpg: using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24
gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24
$ gpg --list-keys F911AB184317630C59970973E363C90F8F1B6217 E1DD270288B4E6030699E45FA1715D88E1DF1F24
pub rsa1024 2009-01-22 [SC]
E1DD270288B4E6030699E45FA1715D88E1DF1F24
uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers
pub rsa4096 2024-04-24 [SC]
F911AB184317630C59970973E363C90F8F1B6217
uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers
Context: https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854 |
After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04, ‘apt update’ gives this warning:
W: https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease: Signature by key E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (rsa1024)
But this PPA is dual-signed by two keys, only one of which is weak. add-apt-repository has chosen to install the rsa1024 key in sources.list.d. It should choose the rsa4096 key instead.
$ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpgv
…
gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
gpg: using RSA key F911AB184317630C59970973E363C90F8F1B6217
gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F911 AB18 4317 630C 5997 0973 E363 C90F 8F1B 6217
gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
gpg: using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24
gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24
$ gpg --list-keys F911AB184317630C59970973E363C90F8F1B6217 E1DD270288B4E6030699E45FA1715D88E1DF1F24
pub rsa1024 2009-01-22 [SC]
E1DD270288B4E6030699E45FA1715D88E1DF1F24
uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers
pub rsa4096 2024-04-24 [SC]
F911AB184317630C59970973E363C90F8F1B6217
uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers
Context: https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854 |
|
