[Bug 1461834] Re: 1024-bit signing keys should be deprecated
Seth Arnold
1461834 at bugs.launchpad.net
Wed May 29 00:34:13 UTC 2024
Jake, some progress is underway for Launchpad to automatically sign PPAs
with RSA4096 keys https://discourse.ubuntu.com/t/new-requirements-for-
apt-repository-signing-in-24-04/42854
It's also possible to dual-sign non-ppa repositories, eg:
curl -s http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease
| gpg --verify
This can really help migrating from unsafe key sizes to safe key sizes.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
1024-bit signing keys should be deprecated
Status in Launchpad itself:
New
Status in apt package in Ubuntu:
Invalid
Status in gnupg2 package in Ubuntu:
Confirmed
Bug description:
1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and
more recently by others[3].
1024-bit signing keys are insufficient to guarantee the authenticity
of software distributed from Launchpad.net including PPAs. There
should be a mechanism to refuse signing keys below a minimum key
length based on key type. 1024-bit signing keys should be deprecated
and removed from Launchpad.net itself ASAP. Future projects and PPAs
should be disallowed from using 1024-bit signing keys.
1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions
More information about the foundations-bugs
mailing list