[Bug 1786471] [NEW] remove 1024D keys from ubuntu-keyring on older LTS
Simon Déziel
1786471 at bugs.launchpad.net
Fri Aug 10 13:01:03 UTC 2018
*** This bug is a security vulnerability ***
Public security bug reported:
Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
but older LTS releases (Trusty/Xenial) still trust those weak keys:
$ lsb_release -sc
xenial
$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage at ubuntu.com>
On Xenial, I found no problem after deleting the 2 1024D keys:
$ sudo apt-key del 2A38B3EB
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
$ echo $? # returned 0
On Trusty, it seems that removing the key 437D05B5 leads to warnings due to the double-signing:
$ sudo apt-key del 2A38B3EB
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
$ echo $? # returned 0
It seems that "apt-get update" is still happy as it can validate using
the stronger key.
** Affects: ubuntu-keyring (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1786471
Title:
remove 1024D keys from ubuntu-keyring on older LTS
Status in ubuntu-keyring package in Ubuntu:
New
Bug description:
Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
but older LTS releases (Trusty/Xenial) still trust those weak keys:
$ lsb_release -sc
xenial
$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
sub 2048g/79164387 2004-09-12
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <cdimage at ubuntu.com>
On Xenial, I found no problem after deleting the 2 1024D keys:
$ sudo apt-key del 2A38B3EB
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
$ echo $? # returned 0
On Trusty, it seems that removing the key 437D05B5 leads to warnings due to the double-signing:
$ sudo apt-key del 2A38B3EB
$ sudo apt-key del 437D05B5
$ sudo apt-get -qq update
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
W: There is no public key available for the following key IDs:
40976EAF437D05B5
$ echo $? # returned 0
It seems that "apt-get update" is still happy as it can validate using
the stronger key.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1786471/+subscriptions
More information about the foundations-bugs
mailing list