[Bug 1786471] Re: remove 1024D keys from ubuntu-keyring on older LTS

Dimitri John Ledkov launchpad at surgut.co.uk
Tue Oct 16 11:48:03 UTC 2018 

Yes, but older distros were dual signed with that key. So it should be
still shipped.

** Changed in: ubuntu-keyring (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1786471

Title:
  remove 1024D keys from ubuntu-keyring on older LTS

Status in ubuntu-keyring package in Ubuntu:
  Won't Fix

Bug description:
  Zesty and later (LP: #1363482) are no longer shipping with 1024D keys
  but older LTS releases (Trusty/Xenial) still trust those weak keys:

  $ lsb_release -sc
  xenial

  $ apt-key list
  /etc/apt/trusted.gpg
  --------------------
  pub   1024D/437D05B5 2004-09-12
  uid                  Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
  sub   2048g/79164387 2004-09-12

  pub   4096R/C0B21F32 2012-05-11
  uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster at ubuntu.com>

  pub   4096R/EFE21092 2012-05-11
  uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage at ubuntu.com>

  pub   1024D/FBB75451 2004-12-30
  uid                  Ubuntu CD Image Automatic Signing Key <cdimage at ubuntu.com>

  On Xenial, I found no problem after deleting the 2 1024D keys:

  $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  $ echo $? # returned 0

  On Trusty, it seems that removing the key 437D05B5 leads to warnings
  due to the double-signing:

  $ sudo apt-key del FBB75451
  $ sudo apt-key del 437D05B5
  $ sudo apt-get -qq update
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  W: There is no public key available for the following key IDs:
  40976EAF437D05B5
  $ echo $? # returned 0

  It seems that "apt-get update" is still happy as it can validate using
  the stronger key.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1786471/+subscriptions

More information about the foundations-bugs mailing list