[Bug 1645906] Re: new dist-upgrader tarballs necessary so they are signed with 4k key

Brian Murray brian at ubuntu.com
Wed Nov 30 16:12:35 UTC 2016 

This looks good to me for yakkety.

bdmurray at clean-xenial-amd64:~$ do-release-upgrade -p --frontend DistUpgradeViewText
Checking for a new Ubuntu release
Get:1 Upgrade tool signature [836 B]
Get:2 Upgrade tool [1,258 kB]
Fetched 1,259 kB in 0s (0 B/s)
authenticate 'yakkety.tar.gz' against 'yakkety.tar.gz.gpg'
extracting 'yakkety.tar.gz'
[screen is terminating]

bdmurray at clean-xenial-amd64:/tmp/ubuntu-release-upgrader-3n2e_3cn$ gpg --list-packets yakkety.tar.gz.gpg
gpg: keyring `/home/bdmurray/.gnupg/secring.gpg' created
gpg: keyring `/home/bdmurray/.gnupg/pubring.gpg' created
:signature packet: algo 1, keyid 3B4FE6ACC0B21F32
        version 4, created 1480470386, md5len 0, sigclass 0x00
        digest algo 10, begin of digest 76 73
        hashed subpkt 2 len 4 (sig created 2016-11-30)
        subpkt 16 len 8 (issuer key ID 3B4FE6ACC0B21F32)
        data: [4093 bits]


** Tags removed: verification-needed
** Tags added: verification-done-yakkety

** Changed in: ubuntu-release-upgrader (Ubuntu Xenial)
     Assignee: (unassigned) => Brian Murray (brian-murray)

** Changed in: ubuntu-release-upgrader (Ubuntu Xenial)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1645906

Title:
  new dist-upgrader tarballs necessary so they are signed with 4k key

Status in ubuntu-release-upgrader package in Ubuntu:
  New
Status in ubuntu-release-upgrader source package in Precise:
  New
Status in ubuntu-release-upgrader source package in Trusty:
  New
Status in ubuntu-release-upgrader source package in Xenial:
  In Progress
Status in ubuntu-release-upgrader source package in Yakkety:
  Fix Committed

Bug description:
  With the ubuntu-archive-publishing change in
  https://code.launchpad.net/~xnox/ubuntu-archive-publishing/migrate-
  dist-upgrade-to-4k/+merge/311181 the signing process for the dist-
  upgrader tarball has been changed.  This change should be tested now,
  rather than doing an ubuntu-release-upgrader change months from now
  and wondering why things aren't working (if they are broken).

  Due to the way the gpg signature is generated we can't just remove it
  and have it regenerated as the timestamp for the signature will not
  change, so the change will not propogate to the mirrors.  Hence the
  need for a mostly no change (mirrors and demotions may change) upload
  of ubuntu-release-upgrader.

  Test Case
  ---------
  1) run do-release-upgrade -p --frontend DistUpgradeViewText
  2) ensure the tarball for the next release e.g. xenial.tar.gz is downloaded and the signature verification passes

  Regression Potential
  --------------------
  It's possible the signing is wrong and the verification of the signature will fail thereby causing release upgrades to be impossible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1645906/+subscriptions

More information about the foundations-bugs mailing list