[Touch-packages] [Bug 1786471] Re: remove 1024D keys from ubuntu-keyring on older LTS

[Dimitri John Ledkov]

Yes, but older distros were dual signed with that key. So it should be
still shipped.

** Changed in: ubuntu-keyring (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1786471

Title:
  remove 1024D keys from ubuntu-keyring on older LTS

Status in ubuntu-keyring package in Ubuntu:
  Won't Fix

Bug description:
  Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
  but older LTS releases (Trusty/Xenial) still trust those weak keys:

  $ lsb_release -sc
  xenial

  $ apt-key list
  /etc/apt/trusted.gpg
  
  pub   1024D/437D05B5 2004-09-12
  uid  Ubuntu Archive Automatic Signing Key 

  sub   2048g/79164387 2004-09-12

  pub   4096R/C0B21F32 2012-05-11
  uid  Ubuntu Archive Automatic Signing Key (2012) 


  pub   4096R/EFE21092 2012-05-11
  uid  Ubuntu CD Image Automatic Signing Key (2012) 


  pub   1024D/FBB75451 2004-12-30
  uid  Ubuntu CD Image Automatic Signing Key 


  On Xenial, I found no problem after deleting the 2 1024D keys:

  $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  $ echo $? # returned 0

  On Trusty, it seems that removing the key 437D05B5 leads to warnings
  due to the double-signing:

  $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  $ echo $? # returned 0

  It seems that "apt-get update" is still happy as it can validate using
  the stronger key.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1786471/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1786471] Re: remove 1024D keys from ubuntu-keyring on older LTS

[Simon Déziel]

** Description changed:

  Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
  but older LTS releases (Trusty/Xenial) still trust those weak keys:
  
  $ lsb_release -sc
  xenial
  
  $ apt-key list
  /etc/apt/trusted.gpg
  
  pub   1024D/437D05B5 2004-09-12
  uid  Ubuntu Archive Automatic Signing Key 

  sub   2048g/79164387 2004-09-12
  
  pub   4096R/C0B21F32 2012-05-11
  uid  Ubuntu Archive Automatic Signing Key (2012) 

  
  pub   4096R/EFE21092 2012-05-11
  uid  Ubuntu CD Image Automatic Signing Key (2012) 

  
  pub   1024D/FBB75451 2004-12-30
  uid  Ubuntu CD Image Automatic Signing Key 

  
- 
  On Xenial, I found no problem after deleting the 2 1024D keys:
  
- $ sudo apt-key del 2A38B3EB
+ $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  $ echo $? # returned 0
  
+ On Trusty, it seems that removing the key 437D05B5 leads to warnings due
+ to the double-signing:
  
- On Trusty, it seems that removing the key 437D05B5 leads to warnings due to 
the double-signing:
- 
- $ sudo apt-key del 2A38B3EB
+ $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  $ echo $? # returned 0
  
  It seems that "apt-get update" is still happy as it can validate using
  the stronger key.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1786471

Title:
  remove 1024D keys from ubuntu-keyring on older LTS

Status in ubuntu-keyring package in Ubuntu:
  New

Bug description:
  Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
  but older LTS releases (Trusty/Xenial) still trust those weak keys:

  $ lsb_release -sc
  xenial

  $ apt-key list
  /etc/apt/trusted.gpg
  
  pub   1024D/437D05B5 2004-09-12
  uid  Ubuntu Archive Automatic Signing Key 

  sub   2048g/79164387 2004-09-12

  pub   4096R/C0B21F32 2012-05-11
  uid  Ubuntu Archive Automatic Signing Key (2012) 


  pub   4096R/EFE21092 2012-05-11
  uid  Ubuntu CD Image Automatic Signing Key (2012) 


  pub   1024D/FBB75451 2004-12-30
  uid  Ubuntu CD Image Automatic Signing Key 


  On Xenial, I found no problem after deleting the 2 1024D keys:

  $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  $ echo $? # returned 0

  On Trusty, it seems that removing the key 437D05B5 leads to warnings
  due to the double-signing:

  $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  $ echo $? # returned 0

  It seems that "apt-get update" is still happy as it can validate using
  the stronger key.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1786471/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp