ubuntu-archive-publishing

Merge lp:~xnox/ubuntu-archive-publishing/gnupg2 into lp:ubuntu-archive-publishing

  1. gnupg2
  2. Merge into trunk
Proposed by Dimitri John Ledkov
Status: Merged
Merged at revision: 88
Proposed branch: lp:~xnox/ubuntu-archive-publishing/gnupg2
Merge into: lp:ubuntu-archive-publishing
Diff against target: 35 lines (+14/-4)
1 file modified
publish-distro.d/10-sign-releases (+14/-4)
To merge this branch: bzr merge lp:~xnox/ubuntu-archive-publishing/gnupg2
Reviewer Review Type Date Requested Status
Steve Langasek Needs Fixing
Lee Trager (community) Approve
Adam Conrad Pending
Brian Murray Pending
Review via email: mp+307171@code.launchpad.net

Description of the change

continue to use just the 1k DSA key for dist-upgrader tarballs.

From z-series and up, use just the 4k RSA key for both archive signing & dist-upgrader tarballs.

To post a comment you must log in.
lp:~xnox/ubuntu-archive-publishing/gnupg2 updated
89. By Dimitri John Ledkov

replace z-series with zesty.

Revision history for this message
Lee Trager (ltrager) wrote :

LGTM!

review: Approve
Revision history for this message
Steve Langasek (vorlon) :
review: Needs Fixing
Revision history for this message
Adam Conrad (adconrad) :
Revision history for this message
Steve Langasek (vorlon) wrote :

On Fri, Nov 04, 2016 at 09:23:37PM -0000, Adam Conrad wrote:

> We're trusting the 1024 key regardless of what we use to sign. If we sign
> with the 4096, someone can still MITM using a compromised 1024 key.

That's not an argument for continuing to sign with the 1024 key where we
know the 4096 key will work, though.

> If we're concerned about that, we should SRU a violent change to
> everything >= trusty to stop trusting the 1024 key. That could cause
> issues for people behind the curve trying to upgrade through old-releases
> though.

We should prefer *not* having to SRU a violent change, which means we
*should* take these small steps towards deprecating the 1024 key where
possible.

> I suspect this was done just to keep the diff low and reviewable, but I
> agree a second MP to change all the keys to long IDs would be sane (though
> collision attacks on pepo are not actually an issue).

Right, but I want consistency here - all references to a given key should
either be short id or long id, not a mix of both.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'publish-distro.d/10-sign-releases'
2--- publish-distro.d/10-sign-releases 2016-06-20 17:40:52 +0000
3+++ publish-distro.d/10-sign-releases 2016-11-03 23:00:00 +0000
4@@ -33,10 +33,16 @@
5 case $LPCONFIG in
6 ftpmaster-publish)
7 case "$series:$1" in
8- warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*|*:*/dist-upgrader*)
9- printf '%s\n' "-u 437D05B5"
10- ;;
11- *)
12+ # Use 1024 key for old releases
13+ warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
14+ printf '%s\n' "-u 437D05B5"
15+ ;;
16+ # Use single-signature, old 1024 key, for dist-upgrade tarballs (historical)
17+ quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*|utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
18+ printf '%s\n' "-u 437D05B5"
19+ ;;
20+ # Use dual-signatures for the archive, for a transitioning period
21+ quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
22 # 437D05B5 and C0B21F32 have different digest
23 # preferences. GnuPG refuses to consider multiple
24 # signatures unless they use the same signature
25@@ -48,6 +54,10 @@
26 # SHA-512 for both.
27 printf '%s\n' "-u 437D05B5 -u C0B21F32 --digest-algo SHA512"
28 ;;
29+ *)
30+ # For zesty and up, including dist-upgrade tarballs, use 2012 4k RSA key only
31+ printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
32+ ;;
33 esac
34 ;;
35 derived-distro-publish)

Subscribers

People subscribed via source and target branches