Add new archive key to precise

Bug #1053896 reported by Colin Watson
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-archive-publishing
Fix Released
Critical
Colin Watson
ubuntu-keyring (Ubuntu)
Fix Released
Medium
Colin Watson
Precise
Fix Released
Medium
Colin Watson

Bug Description

[Impact] Some tools display warnings when they don't have both keys used to dual-sign the quantal index files. A few tools (e.g. cobbler-ubuntu-import) even make this an error.
[Test Case] Install new ubuntu-keyring on precise, flip /etc/apt/sources.list to quantal, and apt-get update. There should be no warnings.
[Regression Potential] If apt-get update works, I can't think of any.

We have a new archive key, used to dual-sign the quantal index files:

  https://lists.ubuntu.com/archives/ubuntu-devel/2012-September/035903.html

To avoid warnings when upgrading from precise, we should add it to ubuntu-keyring in precise-updates.

Colin Watson (cjwatson)
Changed in ubuntu-keyring (Ubuntu):
status: New → Fix Released
Changed in ubuntu-keyring (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Colin Watson (cjwatson)
milestone: none → ubuntu-12.04.2
Changed in ubuntu-keyring (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson)
description: updated
description: updated
Changed in ubuntu-keyring (Ubuntu Precise):
status: Triaged → In Progress
Revision history for this message
Scott Kitterman (kitterman) wrote : Please test proposed package

Hello Colin, or anyone else affected,

Accepted ubuntu-keyring into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubuntu-keyring/2011.11.21.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-keyring (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Colin Watson (cjwatson)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Michael Vogt (mvo) wrote :

People without the package from precise-proposed can no longer upgrade to quantal, the error is:

root@bod:/# do-release-upgrade -d
Checking for a new Ubuntu release
Get:1 Upgrade tool signature [933 B]
Get:2 Upgrade tool [1165 kB]
Fetched 1166 kB in 0s (0 B/s)
authenticate 'quantal.tar.gz' against 'quantal.tar.gz.gpg'
exception from gpg: GnuPG exited non-zero, with code 2
Debug information:

gpg: Signature made Fri Sep 28 01:55:55 2012 UTC using DSA key ID 437D05B5
gpg: /tmp/update-manager-xWzlHA/trustdb.gpg: trustdb created
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
gpg: Signature made Fri Sep 28 01:55:55 2012 UTC using RSA key ID C0B21F32
gpg: Can't check signature: public key not found

Authentication failed
Authenticating the upgrade failed. There may be a problem with the network or with the server.

Once the version of the keyring from precise-proposed is installed, it works fine.

Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-keyring - 2011.11.21.1

---------------
ubuntu-keyring (2011.11.21.1) precise-proposed; urgency=low

  * Add 4096R/C0B21F32 Ubuntu Archive Automatic Signing Key (2012)
    <email address hidden> to ubuntu-archive-keyring (LP: #1053896).
  * Add 4096R/EFE21092 Ubuntu CD Image Automatic Signing Key (2012)
    <email address hidden> to ubuntu-archive-keyring.
 -- Colin Watson <email address hidden> Tue, 25 Sep 2012 11:49:46 +0100

Changed in ubuntu-keyring (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

We should work around the issue Michael reported by only signing the dist-upgrader tarball with the old key.

Changed in ubuntu-archive-publishing:
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → Critical
status: New → Triaged
Revision history for this message
Colin Watson (cjwatson) wrote :

I forced a re-signature of the dist-upgrader tarball with just the old key, which should fix this without needing everyone to upgrade to the new ubuntu-keyring first.

Fri, 28 Sep 2012 11:22:12 +0000: (re-)signing /srv/launchpad.net/ubuntu-archive/ubuntu-distscopy/dists/quantal/main/dist-upgrader-all/0.181/quantal.tar.gz (-u 437D05B5)

Changed in ubuntu-archive-publishing:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers