Ubuntu
ubuntu-keyring package

  1. Bug #1786471
  2. Activity log

Activity log for bug #1786471

Date Who What changed Old value New value Message
2018-08-10 13:01:03 Simon Déziel bug added bug
2018-08-10 13:01:10 Simon Déziel information type Private Security Public Security
2018-08-10 13:13:14 Simon Déziel description Zesty and later (LP: #1363482) are no longer shipping with 1024D keys but older LTS releases (Trusty/Xenial) still trust those weak keys: $ lsb_release -sc xenial $ apt-key list /etc/apt/trusted.gpg -------------------- pub 1024D/437D05B5 2004-09-12 uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com> sub 2048g/79164387 2004-09-12 pub 4096R/C0B21F32 2012-05-11 uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com> pub 4096R/EFE21092 2012-05-11 uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com> pub 1024D/FBB75451 2004-12-30 uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com> On Xenial, I found no problem after deleting the 2 1024D keys: $ sudo apt-key del 2A38B3EB $ sudo apt-key del 437D05B5 $ sudo apt-get -qq update $ echo $? # returned 0 On Trusty, it seems that removing the key 437D05B5 leads to warnings due to the double-signing: $ sudo apt-key del 2A38B3EB $ sudo apt-key del 437D05B5 $ sudo apt-get -qq update W: There is no public key available for the following key IDs: 40976EAF437D05B5 W: There is no public key available for the following key IDs: 40976EAF437D05B5 W: There is no public key available for the following key IDs: 40976EAF437D05B5 $ echo $? # returned 0 It seems that "apt-get update" is still happy as it can validate using the stronger key. Zesty and later (LP: #1363482) are no longer shipping with 1024D keys but older LTS releases (Trusty/Xenial) still trust those weak keys: $ lsb_release -sc xenial $ apt-key list /etc/apt/trusted.gpg -------------------- pub 1024D/437D05B5 2004-09-12 uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com> sub 2048g/79164387 2004-09-12 pub 4096R/C0B21F32 2012-05-11 uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com> pub 4096R/EFE21092 2012-05-11 uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com> pub 1024D/FBB75451 2004-12-30 uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com> On Xenial, I found no problem after deleting the 2 1024D keys: $ sudo apt-key del FBB75451 $ sudo apt-key del 437D05B5 $ sudo apt-get -qq update $ echo $? # returned 0 On Trusty, it seems that removing the key 437D05B5 leads to warnings due to the double-signing: $ sudo apt-key del FBB75451 $ sudo apt-key del 437D05B5 $ sudo apt-get -qq update W: There is no public key available for the following key IDs: 40976EAF437D05B5 W: There is no public key available for the following key IDs: 40976EAF437D05B5 W: There is no public key available for the following key IDs: 40976EAF437D05B5 $ echo $? # returned 0 It seems that "apt-get update" is still happy as it can validate using the stronger key.
2018-10-16 11:48:51 Dimitri John Ledkov ubuntu-keyring (Ubuntu): status New Won't Fix