[Bug 1809027] Re: Make retired Ubuntu keyrings available from the archive
Scott Moser
ssmoser2+ubuntu at gmail.com
Tue Dec 18 19:22:41 UTC 2018
The easiest thing to do would be to just ship a keyring that had the
obsolete public signing keys. Then the consumer could hard code
that 'precise' was signed with keys A, B, C. and work stuff out like
that.
Alternatively possibly we might want to deliver some distro-info like
data.
ubuntu-release|
fingerprint | status | used-releases
790BC7277767219C42C86F933B4FE6ACC0B21F32 | expired | precise quantal raring saucy trusty utopic ...
F6ECB3762474EDA9D21B7022871920D1991BC93C | current | trusty utopic vivid wily xenial yakkety ...
Then the consumer expecting to verify 'precise' data could determine
they should use the 790B key.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1809027
Title:
Make retired Ubuntu keyrings available from the archive
Status in ubuntu-keyring package in Ubuntu:
New
Bug description:
Currently, if an Ubuntu developer (or their code) is attempting to
interact with the precise archive (which is still supported in some
form via ESM) from a machine running bionic or later, they will run in
to issues verifying signatures, because the keys used to sign the
precise archive are no longer included in the default keyring as of
bionic.
(Some form of this problem will present every time an archive key
rotation happens; eventually the old key will no longer be trusted,
and similar failures to the ones today will occur.)
Whilst the old keys should never be used by the system's apt (or other
installed software), it would be good if there were some way to
install those keys from the archives for projects which knowingly want
to use the older signatures. (The old keys should be in a path that
isn't currently used by anything, so that they have to be explicitly
used.)
(This bug came out of a discussion on
https://code.launchpad.net/~smoser/vmbuilder/mfdiff-apt-key-
transition/+merge/313797.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1809027/+subscriptions
More information about the foundations-bugs
mailing list