Enabling FIPS on Ubuntu Pro 22.04+ machines [1] drops rsa1024 as an
available encryption key because rsa1024 isn't FIPS compliant.
Therefore, adding rsa1024 signed apt keys here isn't possible.
Does anyone have suggestions to work around this? I've asked if maintainers
could resign apt keys for
> GPG does not provide a way for APT to validate key lengths when the
signature is verified, so we did all we could do here.
Some pages, like https://launchpad.net/~fnu/+archive/ubuntu/main-fnu/
say "Signing key: 1024R" when you click on "Technical details about this
PPA". So launchpad clearly
** Description changed:
- 1024-bit RSA เลิกใช้แล้วเมื่อหลายปีก่อนโดย NIST [1], Microsoft [2]
- และอื่น ๆ เมื่อไม่นานมานี้ [3]
+ 1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and more
+ recently by others[3].
- คีย์การลงชื่อ 1024
-
** Changed in: apt (Ubuntu)
Status: Invalid => Confirmed
** Changed in: launchpad
Status: New => Confirmed
** Changed in: launchpad
Assignee: (unassigned) => wachirapranee tesprasit (tatar28)
** Changed in: apt (Ubuntu)
Assignee: (unassigned) => wachirapranee tesprasit
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: gnupg2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
Sign with two keys then, and try to tell people. After a period of time
you could disable the old key (ie no longer sign anything with it) - for
anyone who still hasn't updated their configuration their system will
still work, but instead of updates they would get errors. Then they
would update
Julian, I'm afraid that for better or worse Launchpad did generate
1024-bit RSA keys for PPAs for quite some time, and that wasn't an
entirely silly decision back when it was first made - even then DSA had
known weaknesses. It's a problem, but as you say we'd need to work out
a rollover
Regarding launchpad: I'm not sure what that bug is achieving. The
proposal with the rename is fairly useless, you could just add the safe
key to the existing repository. The biggest problem in practice is
rolling out a new key to users, as there is no mechanism for that.
--
You received this bug
APT currently rejects all non-SHA2 hashes, which excludes 1024 bit DSA
keys (the only 1024 bit keys in use, really). All repositories were told
to update to 2048 or 4096 bit RSA keys.
GPG does not provide a way for APT to validate key lengths when the
signature is verified, so we did all we could
Side note: It's incredibly funny how the bug report talks about 1024 bit
RSA keys, when such keys have likely never been used by anyone (all 1024
bit keys I know about were DSA).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
> This means a man-in-the-middle can gain root access, just by inserting their
> own version of one of the packages into this network traffic, because updates
> run as root. They can first obtain the public 1024 bit key from the PPA, then
> spend as long as they want working out the private
Launchpad could *automatically* create a mirror of any PPA that still
uses a 1024 bit key, with a standard suffix to the name, eg xyzppa gets
mirrored as xyzppa-newkey. It could then link to it from the page for
the original PPA. It would always have all the same source, built files
and other
Updates usually run automatically in the background, including from
PPAs, and are unencrypted. This means a man-in-the-middle can gain root
access, just by inserting their own version of one of the packages into
this network traffic, because updates run as root. They can first obtain
the public
** Tags added: encryption needs-update security vulnerability
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
1024-bit signing keys should be deprecated
To manage notifications about
I disagree with the no longer affects Launchpad. This is a matter of
policy and as such very definitely DOES affect Launchpad, regardless of
the resolution of bug #1331914.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Launchpad has used 4096-bit RSA keys for new PPAs since bug #1240681 was
fixed. Allowing PPA owners to replace the old 1024-bit keys is bug
#1331914.
** No longer affects: launchpad
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Also affects: apt (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
1024-bit signing keys should be deprecated
To manage
It might be nice if apt could be configured with minimum accepted
algorithms or required algorithms, to allow administrators to require
e.g. sha256 or sha3 or blake2b, or rsa 4096 or ed25519, etc.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apt (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
19 matches
Mail list logo
