[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

[Mario]

In my opinion, a weak key indirectly (not far from "almost directly")
compromises the whole system.

This is highest possible level Importance / priority.

Security urgency.

That goes for any other weak RSA in any launchpad PPAs.

TODO: replace all Launchpad weak keys with at least RSA4096 and think
about PQA safety in mind

Thank you.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065932

Title:
  Only adds the weak key for PPAs dual-signed with both weak and strong
  keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

[Charlie Wong]

** Description changed:

  After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04,
  ‘apt update’ gives this warning:
  
  W: https://ppa.launchpadcontent.net/git-
  core/ppa/ubuntu/dists/noble/InRelease: Signature by key
  E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (rsa1024)
  
  But this PPA is dual-signed by two keys, only one of which is weak.
  add-apt-repository has chosen to install the rsa1024 key in
  sources.list.d.  It should choose the rsa4096 key instead.
  
- $ curl 
'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | 
gpg
+ $ curl 
'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | 
gpgv
  …
  gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
  gpg:using RSA key F911AB184317630C59970973E363C90F8F1B6217
  gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:  There is no indication that the signature belongs to the owner.
  Primary key fingerprint: F911 AB18 4317 630C 5997  0973 E363 C90F 8F1B 6217
  gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT
  gpg:using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24
  gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:  There is no indication that the signature belongs to the owner.
  Primary key fingerprint: E1DD 2702 88B4 E603 0699  E45F A171 5D88 E1DF 1F24
  $ gpg --list-keys F911AB184317630C59970973E363C90F8F1B6217 
E1DD270288B4E6030699E45FA1715D88E1DF1F24
  pub   rsa1024 2009-01-22 [SC]
-   E1DD270288B4E6030699E45FA1715D88E1DF1F24
+   E1DD270288B4E6030699E45FA1715D88E1DF1F24
  uid   [ unknown] Launchpad PPA for Ubuntu Git Maintainers
  
  pub   rsa4096 2024-04-24 [SC]
-   F911AB184317630C59970973E363C90F8F1B6217
+   F911AB184317630C59970973E363C90F8F1B6217
  uid   [ unknown] Launchpad PPA for Ubuntu Git Maintainers
  
  Context: https://discourse.ubuntu.com/t/new-requirements-for-apt-
  repository-signing-in-24-04/42854

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065932

Title:
  Only adds the weak key for PPAs dual-signed with both weak and strong
  keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2065932] Re: Only adds the weak key for PPAs dual-signed with both weak and strong keys

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: software-properties (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065932

Title:
  Only adds the weak key for PPAs dual-signed with both weak and strong
  keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs