[Bug 1798073] Re: [SRU] Provide 2018 archive signing key on stable releases

Dimitri John Ledkov launchpad at surgut.co.uk
Thu Nov 29 09:35:09 UTC 2018 

$ schroot -u root -c bionic-amd64
(bionic-amd64)root at ottawa:~# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>

(bionic-amd64)root at ottawa:~# gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-
ubuntu-archive-keyring.gpg       ubuntu-archive-removed-keys.gpg  ubuntu-master-keyring.gpg
(bionic-amd64)root at ottawa:~# gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg -k       
gpg: /root/.gnupg/trustdb.gpg: trustdb created
/usr/share/keyrings/ubuntu-archive-keyring.gpg
----------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      790BC7277767219C42C86F933B4FE6ACC0B21F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>

pub   rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>

(bionic-amd64)root at ottawa:~# dpkg-query -W ubuntu-keyring
ubuntu-keyring	2016.10.27


Upgrading ubuntu-keyring

(bionic-amd64)root at ottawa:~# dpkg-query -W ubuntu-keyring
ubuntu-keyring	2018.09.18.1~18.04.0

# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster at ubuntu.com>

(bionic-amd64)root at ottawa:~# gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg -k
/usr/share/keyrings/ubuntu-archive-keyring.gpg
----------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      790BC7277767219C42C86F933B4FE6ACC0B21F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>

pub   rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>

pub   rsa4096 2018-09-17 [SC]
      F6ECB3762474EDA9D21B7022871920D1991BC93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster at ubuntu.com>


No keys are removed, and only the 2018 key added as a snippet and in the keyring.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1798073

Title:
  [SRU] Provide 2018 archive signing key on stable releases

Status in ubuntu-keyring package in Ubuntu:
  Fix Released
Status in ubuntu-keyring source package in Bionic:
  Fix Committed

Bug description:
  [Impact]

   * For LTS releases to be able to bootstrap dual and single signed
  future releases, and validate all signatures, 2018 archive signing key
  should be SRUed back

   * Also build process has improved documentation and vague validation
  that all key snippets are signed correctly

  [Test Case]

   * $ apt-key list
  ...
  /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
  ------------------------------------------------------
  pub   rsa4096 2018-09-17 [SC]
        F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
  uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster at ubuntu.com>
  ...

  apt-key list should contain the 2018 archive key.

  [Regression Potential]

   * Build-process, key algo, and key size, and file format are the same
  as previous key snippets thus supported by all of gpg1 gpg2 gpgv1
  gpgv2.

  [Other Info]

   * 2018 key is to be used for dual-signing in DD series and up

   * Bileto PPA is built against security pocket only, suitable to be
  released into both -security and -updates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1798073/+subscriptions

More information about the foundations-bugs mailing list