ubuntu-keyring includes 1024D keys
Bug #1363482 reported by
Philipp Kern
This bug affects 8 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu CD Images |
Fix Released
|
Undecided
|
Colin Watson | ||
ubuntu-keyring (Ubuntu) |
Fix Released
|
High
|
Adam Conrad |
Bug Description
ubuntu-keyring as shipped in trusty contains old 1024D keys dating back to 2004 which are still being trusted for the main archive:
% gpg /usr/share/
pub 1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key <email address hidden>
pub 1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key <email address hidden>
Given that newer 4096R keys are present and have been in precise (through -updates) and trusty, it seems to be about time to drop the older keys. (In the hope that apt does not chose on signatures it cannot verify, otherwise the publisher would need to stop signing with the old key as well.)
Related branches
Changed in ubuntu-keyring (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
information type: | Public → Public Security |
Changed in ubuntu-keyring (Ubuntu): | |
assignee: | nobody → Adam Conrad (adconrad) |
Changed in ubuntu-cdimage: | |
assignee: | Adam Conrad (adconrad) → Colin Watson (cjwatson) |
To post a comment you must log in.
Precise archive is only signed with the old key. To support using the precise archive in newer releases, such as with debootstrap, we need to do the following:
1- Make sure Precise's apt supports a double-signed release file
2- Start double-signing the Precise archive
3- Double-sign old ISO *SUMS files
We can then drop the old key in the dev release and in an update to stable releases.