*** This bug is a security vulnerability *** Public security bug reported:
Zesty and later (LP: #1363482) are no longer shipping with 1024D keys but older LTS releases (Trusty/Xenial) still trust those weak keys: $ lsb_release -sc xenial $ apt-key list /etc/apt/trusted.gpg -------------------- pub 1024D/437D05B5 2004-09-12 uid Ubuntu Archive Automatic Signing Key <ftpmas...@ubuntu.com> sub 2048g/79164387 2004-09-12 pub 4096R/C0B21F32 2012-05-11 uid Ubuntu Archive Automatic Signing Key (2012) <ftpmas...@ubuntu.com> pub 4096R/EFE21092 2012-05-11 uid Ubuntu CD Image Automatic Signing Key (2012) <cdim...@ubuntu.com> pub 1024D/FBB75451 2004-12-30 uid Ubuntu CD Image Automatic Signing Key <cdim...@ubuntu.com> On Xenial, I found no problem after deleting the 2 1024D keys: $ sudo apt-key del 2A38B3EB $ sudo apt-key del 437D05B5 $ sudo apt-get -qq update $ echo $? # returned 0 On Trusty, it seems that removing the key 437D05B5 leads to warnings due to the double-signing: $ sudo apt-key del 2A38B3EB $ sudo apt-key del 437D05B5 $ sudo apt-get -qq update W: There is no public key available for the following key IDs: 40976EAF437D05B5 W: There is no public key available for the following key IDs: 40976EAF437D05B5 W: There is no public key available for the following key IDs: 40976EAF437D05B5 $ echo $? # returned 0 It seems that "apt-get update" is still happy as it can validate using the stronger key. ** Affects: ubuntu-keyring (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786471 Title: remove 1024D keys from ubuntu-keyring on older LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1786471/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs