ubuntu-archive-publishing

Merge lp:~xnox/ubuntu-archive-publishing/gnupg2 into lp:ubuntu-archive-publishing

  1. gnupg2
  2. Merge into trunk
Proposed by Dimitri John Ledkov
Status: Merged
Merged at revision: 88
Proposed branch: lp:~xnox/ubuntu-archive-publishing/gnupg2
Merge into: lp:ubuntu-archive-publishing
Diff against target: 35 lines (+14/-4)
1 file modified
publish-distro.d/10-sign-releases (+14/-4)
To merge this branch: bzr merge lp:~xnox/ubuntu-archive-publishing/gnupg2
Reviewer Review Type Date Requested Status
Steve Langasek Needs Fixing
Lee Trager (community) Approve
Adam Conrad Pending
Brian Murray Pending
Review via email: mp+307171@code.launchpad.net

Description of the change

continue to use just the 1k DSA key for dist-upgrader tarballs.

From z-series and up, use just the 4k RSA key for both archive signing & dist-upgrader tarballs.

To post a comment you must log in.
lp:~xnox/ubuntu-archive-publishing/gnupg2 updated
89. By Dimitri John Ledkov

replace z-series with zesty.

Revision history for this message
Lee Trager (ltrager) wrote :

LGTM!

review: Approve
Revision history for this message
Steve Langasek (vorlon) :
review: Needs Fixing
Revision history for this message
Adam Conrad (adconrad) :
Revision history for this message
Steve Langasek (vorlon) wrote :

On Fri, Nov 04, 2016 at 09:23:37PM -0000, Adam Conrad wrote:

> We're trusting the 1024 key regardless of what we use to sign. If we sign
> with the 4096, someone can still MITM using a compromised 1024 key.

That's not an argument for continuing to sign with the 1024 key where we
know the 4096 key will work, though.

> If we're concerned about that, we should SRU a violent change to
> everything >= trusty to stop trusting the 1024 key. That could cause
> issues for people behind the curve trying to upgrade through old-releases
> though.

We should prefer *not* having to SRU a violent change, which means we
*should* take these small steps towards deprecating the 1024 key where
possible.

> I suspect this was done just to keep the diff low and reviewable, but I
> agree a second MP to change all the keys to long IDs would be sane (though
> collision attacks on pepo are not actually an issue).

Right, but I want consistency here - all references to a given key should
either be short id or long id, not a mix of both.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'publish-distro.d/10-sign-releases'
--- publish-distro.d/10-sign-releases 2016-06-20 17:40:52 +0000
+++ publish-distro.d/10-sign-releases 2016-11-03 23:00:00 +0000
@@ -33,10 +33,16 @@
33 case $LPCONFIG in33 case $LPCONFIG in
34 ftpmaster-publish)34 ftpmaster-publish)
35 case "$series:$1" in35 case "$series:$1" in
36 warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*|*:*/dist-upgrader*)36 # Use 1024 key for old releases
37 printf '%s\n' "-u 437D05B5"37 warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
38 ;;38 printf '%s\n' "-u 437D05B5"
39 *)39 ;;
40 # Use single-signature, old 1024 key, for dist-upgrade tarballs (historical)
41 quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*|utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
42 printf '%s\n' "-u 437D05B5"
43 ;;
44 # Use dual-signatures for the archive, for a transitioning period
45 quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
40 # 437D05B5 and C0B21F32 have different digest46 # 437D05B5 and C0B21F32 have different digest
41 # preferences. GnuPG refuses to consider multiple47 # preferences. GnuPG refuses to consider multiple
42 # signatures unless they use the same signature48 # signatures unless they use the same signature
@@ -48,6 +54,10 @@
48 # SHA-512 for both.54 # SHA-512 for both.
49 printf '%s\n' "-u 437D05B5 -u C0B21F32 --digest-algo SHA512"55 printf '%s\n' "-u 437D05B5 -u C0B21F32 --digest-algo SHA512"
50 ;;56 ;;
57 *)
58 # For zesty and up, including dist-upgrade tarballs, use 2012 4k RSA key only
59 printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
60 ;;
51 esac61 esac
52 ;;62 ;;
53 derived-distro-publish)63 derived-distro-publish)

Subscribers

People subscribed via source and target branches