[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Peter Odding]

It's a shame I can't edit comments on Launchpad: Please disregard my
last comment, I seem to have misread the pbuilder issue, sorry for the
noise. That doesn't change the validity of my point about updating
debootstrap though.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Fix Released

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Peter Odding]

Going over my notes on this topic I realized that I hadn't pointed out
in my previous message that the issue I've pointed out has already
triggered a workaround (that shouldn't be necessary IMHO) in the
pbuilder project:

https://bugs.launchpad.net/ubuntu/+source/pbuilder/+bug/599394

In my opinion neither pbuilder nor apt-mirror-updater should be
implementing workarounds for this issue, because there's lots more use
cases for debootstrap than just these two projects, and each will
require a workaround until my suggested change to debootstrap is
implemented.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Fix Released

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Peter Odding]

> Precise archive is only signed with the old key. To support using the
precise archive in newer releases, such as with debootstrap, we need to
do the following ...

This comment implied to me that the use of debootstrap to create an
Ubuntu 12.04 chroot on e.g. Ubuntu 18.04 (which includes the ubuntu-
keyring package update discussed here) should work, however I recently
found out that it doesn't:

$ sudo debootstrap precise /tmp/precise http://old-releases.ubuntu.com/ubuntu/
I: Retrieving InRelease 
I: Retrieving Release 
I: Checking Release signature
E: Release signed by unknown key (key id 40976EAF437D05B5)

At this point debootstrap exits with status code 1. My use case is based
on a Python package (maintained by me) that automates the creation of
Debian and Ubuntu chroots by discovering and ranking available mirrors,
automatically picking a good mirror and then running debootstrap with
the appropriate command line options. Based on this Launchpad issue I
realized that I needed to use 'ubuntu-archive-removed-keys.gpg' and
indeed then things work as expected:

$ sudo debootstrap 
--keyring=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg precise 
/tmp/precise http://old-releases.ubuntu.com/ubuntu/
I: Retrieving InRelease 
I: Retrieving Release 
I: Checking Release signature
I: Valid Release signature (key id 630239CC130E1A7FD81A27B140976EAF437D05B5)
I: Validating Packages 
I: Resolving dependencies of required packages...

The tricky thing for me was that my Python package needs to decide this
for the user, since it abstracts away the call to debootstrap, so I
needed an exact understanding of the situation (the terseness of this
Launchpad issue wasn't explicit enough for me, given a lack of knowledge
about Ubuntu internals). I created the following overview of Ubuntu
signing keys to help me understand the situation:

warty: 0x40976EAF437D05B5
hoary: 0x40976EAF437D05B5
breezy: 0x40976EAF437D05B5
dapper: 0x40976EAF437D05B5
edgy: 0x40976EAF437D05B5
feisty: 0x40976EAF437D05B5
gutsy: 0x40976EAF437D05B5
hardy: 0x40976EAF437D05B5
intrepid: 0x40976EAF437D05B5
jaunty: 0x40976EAF437D05B5
karmic: 0x40976EAF437D05B5
lucid: 0x40976EAF437D05B5
maverick: 0x40976EAF437D05B5
natty: 0x40976EAF437D05B5
oneiric: 0x40976EAF437D05B5
precise: 0x40976EAF437D05B5
quantal: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
raring: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
saucy: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
trusty: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
utopic: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
vivid: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
wily: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
xenial: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
yakkety: 0x40976EAF437D05B5, 0x3B4FE6ACC0B21F32
zesty: 0x3B4FE6ACC0B21F32
artful: 0x3B4FE6ACC0B21F32
bionic: 0x3B4FE6ACC0B21F32
cosmic: 0x3B4FE6ACC0B21F32

The issue that I created to track this issue "on my side" contains a lot
more details (including the script that was used to create the overview
of signing keys) and is available here: https://github.com/xolox/python-
apt-mirror-updater/issues/8

Now that I've implemented a workaround for this issue it's no longer
very pressing for me, however wouldn't it be prudent to update the
debootstrap package so that it automatically picks the 'removed' keyring
for Ubuntu <= 12.04 chroots on Ubuntu >= 17.04 hosts? The variable to do
so already exists, the value just needs to be changed:

$ grep keyring /usr/share/debootstrap/scripts/precise
keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg

If this were updated to /usr/share/keyrings/ubuntu-archive-removed-
keys.gpg it should work. This would avoid every single user of
debootstrap having to work around this issue by themselves, like I've
had to. This has affected at least some users (before me) already, as
you can see by searching for the phrase "Release signed by unknown key
(key id 40976EAF437D05B5)":
https://www.google.com/search?q="Release+signed+by+unknown+key+%28key+id+40976EAF437D05B5%29;

** Bug watch added: github.com/xolox/python-apt-mirror-updater/issues #8
   https://github.com/xolox/python-apt-mirror-updater/issues/8

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Fix Released

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not 

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Launchpad Bug Tracker]

This bug was fixed in the package ubuntu-keyring - 2016.10.27

---
ubuntu-keyring (2016.10.27) zesty; urgency=medium

  * Drop 1024D key fragments. LP: #1363482
  * Remove 1024D keys from ubuntu-archive-keyring.
  * Add 1024D keys to ubuntu-archive-removed-keys.gpg.
  * Remove the md5sums.asc file, no longer valid.
  * Regenerate SHA512SUMS.txt.asc file.

 -- Dimitri John Ledkov   Thu, 27 Oct 2016 15:31:35
+0100

** Changed in: ubuntu-keyring (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Fix Released

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Dimitri John Ledkov]

Might as well just wait for precise EOL.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Marc Deslauriers]

Adam,

Any progress on getting the precise archive signed with the newer keys?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Fernando Seiti Furusato]

** Branch unlinked: lp:ubuntu-cdimage

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Colin Watson]

** Branch linked: lp:ubuntu-cdimage

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Colin Watson]

I've added double-signing support to cdimage, and re-signed everything
with both old and new keys.  For good measure I've also updated
https://help.ubuntu.com/community/VerifyIsoHowto.

** Changed in: ubuntu-cdimage
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  Fix Released
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Colin Watson]

** Changed in: ubuntu-cdimage
 Assignee: Adam Conrad (adconrad) => Colin Watson (cjwatson)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  New
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu-cdimage

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  New
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 

  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 


  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Marc Deslauriers]

Precise archive is only signed with the old key. To support using the
precise archive in newer releases, such as with debootstrap, we need to
do the following:

1- Make sure Precise's apt supports a double-signed release file
2- Start double-signing the Precise archive
3- Double-sign old ISO *SUMS files

We can then drop the old key in the dev release and in an update to
stable releases.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  New
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 
ftpmas...@ubuntu.com
  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 
cdim...@ubuntu.com

  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Marc Deslauriers]

** Changed in: ubuntu-keyring (Ubuntu)
   Status: New = Confirmed

** Changed in: ubuntu-keyring (Ubuntu)
   Importance: Undecided = High

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 
ftpmas...@ubuntu.com
  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 
cdim...@ubuntu.com

  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Adam Conrad]

Adding an ubuntu-cdimage task to make it support double-signing, so I
can go back and alter history.

** Also affects: ubuntu-cdimage
   Importance: Undecided
   Status: New

** Changed in: ubuntu-cdimage
 Assignee: (unassigned) = Adam Conrad (adconrad)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  New
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 
ftpmas...@ubuntu.com
  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 
cdim...@ubuntu.com

  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1363482] Re: ubuntu-keyring includes 1024D keys

[Steve Langasek]

** Changed in: ubuntu-keyring (Ubuntu)
 Assignee: (unassigned) = Adam Conrad (adconrad)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in Ubuntu CD Images:
  New
Status in ubuntu-keyring package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key 
ftpmas...@ubuntu.com
  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key 
cdim...@ubuntu.com

  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp