[SRU] Provide 2018 archive signing key on stable releases

Bug #1798073 reported by Dimitri John Ledkov on 2018-10-16
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-keyring (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]

 * For LTS releases to be able to bootstrap dual and single signed future releases, and validate all signatures, 2018 archive signing key should be SRUed back

 * Also build process has improved documentation and vague validation that all key snippets are signed correctly

[Test Case]

 * $ apt-key list
...
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <email address hidden>
...

apt-key list should contain the 2018 archive key.

[Regression Potential]

 * Build-process, key algo, and key size, and file format are the same as previous key snippets thus supported by all of gpg1 gpg2 gpgv1 gpgv2.

[Other Info]

 * 2018 key is to be used for dual-signing in DD series and up

 * Bileto PPA is built against security pocket only, suitable to be released into both -security and -updates

description: updated
information type: Public → Public Security
Changed in ubuntu-keyring (Ubuntu):
status: New → Fix Released
Changed in ubuntu-keyring (Ubuntu Bionic):
status: New → In Progress

Hello Dimitri, or anyone else affected,

Accepted ubuntu-keyring into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2018.09.18.1~18.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-keyring (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Jamie Strandboge (jdstrand) wrote :

It might be nice to provide this on older LTS releases too.

Dimitri John Ledkov (xnox) wrote :

Setting up ubuntu-keyring (2018.09.18.1~18.04.0) ...
# apt-key list
...
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <email address hidden>

all is good for bionic. Prior releases should only probably ship this key in the ubuntu-keyring.gpg, but not as a trusted.gpg.d key snippet. As we do not anticipate to use 2018 key to sign the bionic archive.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

This upload lists autopkgtest regressions for all arches for pbuilder - could you take a look if those are unrelated or not? Looks fishy, since some of those were passing fine just recently for other packages.

Dimitri John Ledkov (xnox) wrote :

E: No such script: /usr/share/debootstrap/scripts/disco

I will retrigger ubuntu-keyring adt of debootstrap, with debootstrap from bionic-proposed.

Robie Basak (racb) wrote :

The other obvious regression potential (to me anyway) is that previously existing keys become missing. Could someone check for that please?

Dimitri John Ledkov (xnox) wrote :
Download full text (3.3 KiB)

$ schroot -u root -c bionic-amd64
(bionic-amd64)root@ottawa:~# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

(bionic-amd64)root@ottawa:~# gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-
ubuntu-archive-keyring.gpg ubuntu-archive-removed-keys.gpg ubuntu-master-keyring.gpg
(bionic-amd64)root@ottawa:~# gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg -k
gpg: /root/.gnupg/trustdb.gpg: trustdb created
/usr/share/keyrings/ubuntu-archive-keyring.gpg
----------------------------------------------
pub rsa4096 2012-05-11 [SC]
      790BC7277767219C42C86F933B4FE6ACC0B21F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

pub rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

(bionic-amd64)root@ottawa:~# dpkg-query -W ubuntu-keyring
ubuntu-keyring 2016.10.27

Upgrading ubuntu-keyring

(bionic-amd64)root@ottawa:~# dpkg-query -W ubuntu-keyring
ubuntu-keyring 2018.09.18.1~18.04.0

# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <email address hidden>

(bionic-amd64)root@ottawa:~# gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg -k
/usr/share/keyrings/ubuntu-archive-keyring.gpg
----------------------------------------------
pub rsa4096 2012-05-11 [SC]
      790BC7277767219C42C86F933B4FE6ACC0B21F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

pub rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

pub rsa4096 2018-09-17 [SC]
      F6ECB3762474EDA9D21B7022871920D1991BC93C
uid [ unknown] Ubuntu Archive Autom...

Read more...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-keyring - 2018.09.18.1~18.04.0

---------------
ubuntu-keyring (2018.09.18.1~18.04.0) bionic; urgency=medium

  * keyrings/ubuntu-keyring-2018-archive.gpg,
    keyrings/ubuntu-archive-keyring.gpg: add new archive signing key.
  * Improve README.Source with upgrade/change instructions.
  * Validate that all shipped fragments are signed.
  * LP: #1798073

 -- Dimitri John Ledkov <email address hidden> Tue, 18 Sep 2018 17:03:46 +0200

Changed in ubuntu-keyring (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for ubuntu-keyring has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers