ubuntu-archive-publishing

Merge lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k into lp:ubuntu-archive-publishing

migrate-dist-upgrade-to-4k
Merge into trunk

Proposed by Dimitri John Ledkov on 2016-11-17

Status:	Merged
Merged at revision:	91
Proposed branch:	lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k
Merge into:	lp:ubuntu-archive-publishing
Diff against target:	47 lines (+14/-19) 1 file modified publish-distro.d/10-sign-releases (+14/-19)
To merge this branch:	bzr merge lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Adam Conrad	2016-11-17	Pending
Brian M Murray	2016-11-17	Pending
Steve Langasek	2016-11-17	Pending
Ubuntu Package Archive Administrators	2016-11-17	Pending
Review via email: mp+311181@code.launchpad.net

Description of the change

* Use full fingerprints throughout for signing
* Migrated utopic..yakkety upgrade tarballs to a single 4k key

Revision history for this message

Steve Langasek (vorlon) on 2016-11-17:

lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k updated on 2016-11-18

92. By Dimitri John Ledkov on 2016-11-18: Drop digest specification, for single key sigs, use key's prefered default.

Revision history for this message

Dimitri John Ledkov (xnox) on 2016-11-18:

Revision history for this message

Steve Langasek (vorlon) wrote on 2016-11-18:

On Fri, Nov 18, 2016 at 02:34:35PM -0000, Dimitri John Ledkov wrote:

> I have no way to check the key preferences. I assume they are sane.
> Removed the extra arg. Hopefully, we will soon transition to 8K keys and
> SHA3.

In fact, the current prefs on the key will *not* do what we want without
this argument:

Digest: SHA256, SHA1, SHA384, SHA512, SHA224

I wasn't asking you to drop this arg, now the branch is not in a state that
we can merge :) I was asking whether this was the way we want to do this
going forward or if we should fix the digest preferences on the key.

I'm not sure which is the more obvious place for us to enforce this.

Revision history for this message

Adam Conrad (adconrad) wrote on 2016-11-21:

> I'm not sure which is the more obvious place for us to enforce this.

I think the more transparent place to enforce it is in the code. Maybe the keys in the keyring should have better defaults, but if we want a specific digest, we should be explicit about that in the code, not implicitly hope that the keyring has it set how we want (even if/when it does).

Revision history for this message

Steve Langasek (vorlon) wrote on 2016-11-21:

On Mon, Nov 21, 2016 at 04:47:59PM -0000, Adam Conrad wrote:
> > I'm not sure which is the more obvious place for us to enforce this.

> I think the more transparent place to enforce it is in the code. Maybe
> the keys in the keyring should have better defaults, but if we want a
> specific digest, we should be explicit about that in the code, not
> implicitly hope that the keyring has it set how we want (even if/when it
> does).

Ok, then Dimitri should revert the last change and we should land this :)

lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k updated on 2016-11-25

93. By Dimitri John Ledkov on 2016-11-25: Encode digest-algo in the code, update comments for consistency and clarity.
94. By Dimitri John Ledkov on 2016-11-25: Merge trunk

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2016-11-25:

Encoded all ubuntu) digests into the command lines, and updated comments to match that we are encoding digests in the code from now on.

Hopefully, the transition to 8k key with SHA-3 digest algo will go more smooth.

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2016-11-29:

Could this please be merged, and dist-upgrade tarballs: xenial, yakkety and zesty resigned?

Revision history for this message

Brian Murray (brian-murray) wrote on 2016-11-29:

We decided, in #ubuntu-release, that I'd reupload ubuntu-release-upgrader that way we can have it in -proposed for testing rather than resigning.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Dimitri John Ledkov

Ubuntu Package Archive Administrators

alfred hudson

 === modified file 'publish-distro.d/10-sign-releases'
 --- publish-distro.d/10-sign-releases	2016-11-03 22:59:49 +0000
 +++ publish-distro.d/10-sign-releases	2016-11-25 16:19:29 +0000
@@ -33,29 +33,24 @@
  	case $LPCONFIG in
  	    ftpmaster-publish)
  		case "$series:$1" in
--		    # Use 1024 key for old releases
++		    # Use single-signature 1024 key SHA1 for old releases
  		    warty:*|hoary:*|breezy:*|dapper:*|edgy:*|feisty:*|gutsy:*|hardy:*|intrepid:*|jaunty:*|karmic:*|lucid:*|maverick:*|natty:*|oneiric:*|precise:*)
--			printf '%s\n' "-u 437D05B5"
--			;;
--		    # Use single-signature, old 1024 key, for dist-upgrade tarballs (historical)
--		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*|utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
--			printf '%s\n' "-u 437D05B5"
--			;;
--		    # Use dual-signatures for the archive, for a transitioning period
++			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
++			;;
++		    # Use single-signature 1024 key SHA1 for upgrades from distributions with 1k key only
++		    quantal:*/dist-upgrader*|raring:*/dist-upgrader*|saucy:*/dist-upgrader*|trusty:*/dist-upgrader*)
++			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 --digest-algo SHA1"
++			;;
++		    # Use single-signature 4096 key SHA512 for upgrades from distributions with 4k present
++		    utopic:*/dist-upgrader*|vivid:*/dist-upgrader*|wily:*/dist-upgrader*|xenial:*/dist-upgrader*|yakkety:*/dist-upgrader*)
++			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
++			;;
++		    # Use dual-signatures 1024 & 4096 keys SHA512 for the archive, for a transitioning period, to allow e.g. precise .0 to bootstrap any of these
  		    quantal:*|raring:*|saucy:*|trusty:*|utopic:*|vivid:*|wily:*|xenial:*|yakkety:*)
--			# 437D05B5 and C0B21F32 have different digest
--			# preferences.  GnuPG refuses to consider multiple
--			# signatures unless they use the same signature
--			# class and digest algorithm.  We must therefore
--			# force the digest algorithm to something both keys
--			# can do.  Fortunately, gpg supports SHA-512 hashes
--			# with 1024-bit DSA keys by way of taking the
--			# leftmost 160 bits of the hash; so we can use
--			# SHA-512 for both.
--			printf '%s\n' "-u 437D05B5 -u C0B21F32 --digest-algo SHA512"
++			printf '%s\n' "-u 0x630239CC130E1A7FD81A27B140976EAF437D05B5 -u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
  			;;
  		    *)
--		    # For zesty and up, including dist-upgrade tarballs, use 2012 4k RSA key only
++		    # Use single-signature 4096 key SHA512 for zesty and up, including dist-upgrade tarballs
  			printf '%s\n' "-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 --digest-algo SHA512"
  			;;
  		esac

ubuntu-archive-publishing

Merge lp:~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k into lp:ubuntu-archive-publishing

Commit message

Description of the change

Preview Diff

Subscribers