remove 1024D keys from ubuntu-keyring on older LTS

Bug #1786471 reported by Simon Déziel on 2018-08-10
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-keyring (Ubuntu)
Undecided
Unassigned

Bug Description

Zesty and later (LP: #1363482) are no longer shipping with 1024D keys but older LTS releases (Trusty/Xenial) still trust those weak keys:

$ lsb_release -sc
xenial

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <email address hidden>
sub 2048g/79164387 2004-09-12

pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <email address hidden>

On Xenial, I found no problem after deleting the 2 1024D keys:

$ sudo apt-key del FBB75451
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
$ echo $? # returned 0

On Trusty, it seems that removing the key 437D05B5 leads to warnings due to the double-signing:

$ sudo apt-key del FBB75451
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
$ echo $? # returned 0

It seems that "apt-get update" is still happy as it can validate using the stronger key.

Simon Déziel (sdeziel) on 2018-08-10
information type: Private Security → Public Security
Simon Déziel (sdeziel) on 2018-08-10
description: updated
Dimitri John Ledkov (xnox) wrote :

Yes, but older distros were dual signed with that key. So it should be still shipped.

Changed in ubuntu-keyring (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers