Public bug reported:
As part of Ubuntu key rotation strategy, we rely on dual-signing
(inline, or detached) such that validation with at least one key
available in a keyring should be trusted, without using web-of-trust.
However, it seems to be only correctly so far implemented by the apt's
gpgv method.
Ideally, we should ship an easy enough to use the helper that is `like
gpgv` to use, and possibly reusing apt's gpgv code and/or exposing it
via apt-key's verify.
The problem seems to be that 1 good sig + 1 no public key available,
results in gpgv exiting with 2, instead of 0 or 1.
Ideally it should be easy enough to use gpgv/gpg to verify that at least
one signature is good, and decrypt/extract signed contents only.
More details and reproducers to follow.
** Affects: apt (Ubuntu)
Importance: Undecided
Status: New
** Affects: debmirror (Ubuntu)
Importance: Undecided
Status: New
** Affects: gnupg2 (Ubuntu)
Importance: Undecided
Status: New
** Affects: ubuntu-keyring (Ubuntu)
Importance: Undecided
Status: New
** Affects: ubuntu-release-upgrader (Ubuntu)
Importance: Undecided
Status: New
** Also affects: gnupg2 (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apt (Ubuntu)
Importance: Undecided
Status: New
** Also affects: debmirror (Ubuntu)
Importance: Undecided
Status: New
** Also affects: ubuntu-release-upgrader (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1801762
Title:
Dual-signed things should be easy to verify with one key
Status in apt package in Ubuntu:
New
Status in debmirror package in Ubuntu:
New
Status in gnupg2 package in Ubuntu:
New
Status in ubuntu-keyring package in Ubuntu:
New
Status in ubuntu-release-upgrader package in Ubuntu:
New
Bug description:
As part of Ubuntu key rotation strategy, we rely on dual-signing
(inline, or detached) such that validation with at least one key
available in a keyring should be trusted, without using web-of-trust.
However, it seems to be only correctly so far implemented by the apt's
gpgv method.
Ideally, we should ship an easy enough to use the helper that is `like
gpgv` to use, and possibly reusing apt's gpgv code and/or exposing it
via apt-key's verify.
The problem seems to be that 1 good sig + 1 no public key available,
results in gpgv exiting with 2, instead of 0 or 1.
Ideally it should be easy enough to use gpgv/gpg to verify that at
least one signature is good, and decrypt/extract signed contents only.
More details and reproducers to follow.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1801762/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
