[Bug 1809027] Re: Make retired Ubuntu keyrings available from the archive

[Dimitri John Ledkov]

Removed keys, which are no longer in use by the current series by have
been used by previous series are always shipped in the
/usr/share/keyrings/ubuntu-archive-removed-keys.gpg and similar, which
are not trusted by the new systems by default.

So I'm not sure what you are asking for ubuntu-keyring to ship. We
always provide all the keys that have been ever in use.

** Changed in: ubuntu-keyring (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1809027

Title:
  Make retired Ubuntu keyrings available from the archive

Status in ubuntu-keyring package in Ubuntu:
  Invalid

Bug description:
  Currently, if an Ubuntu developer (or their code) is attempting to
  interact with the precise archive (which is still supported in some
  form via ESM) from a machine running bionic or later, they will run in
  to issues verifying signatures, because the keys used to sign the
  precise archive are no longer included in the default keyring as of
  bionic.

  (Some form of this problem will present every time an archive key
  rotation happens; eventually the old key will no longer be trusted,
  and similar failures to the ones today will occur.)

  Whilst the old keys should never be used by the system's apt (or other
  installed software), it would be good if there were some way to
  install those keys from the archives for projects which knowingly want
  to use the older signatures.  (The old keys should be in a path that
  isn't currently used by anything, so that they have to be explicitly
  used.)

  (This bug came out of a discussion on
  https://code.launchpad.net/~smoser/vmbuilder/mfdiff-apt-key-
  transition/+merge/313797.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1809027/+subscriptions