Launchpad itself

new PPAs are re-using old 1024-bit RSA signing keys

Bug #1700167 reported by Steve Beattie
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Launchpad itself
In Progress
High
Colin Watson

Bug Description

According to bug 1240681, the default signing key size for launchpad PPAs was changed from 1024-bit to 4096-bit keys. However, I just created the test ppa:

  https://launchpad.net/~sbeattie/+archive/ubuntu/test-rsa-key-size

and launchpad is re-using an old 1024-bit key for this new ppa:

    http://keyserver.ubuntu.com:11371/pks/lookup?fingerprint=on&op=index&search=0xED54D72DF6AFA040A048E29467D1BEEF813B16C8

If the keys are per launchpad user rather than per PPA, then there is no way for an existing launchpad user to create a PPA with gpg keys that meet modern key size recommendations, without creating a new launchpad ID entirely (problematic for other reasons).

Related branches

~cjwatson/launchpad:stop-ppa-key-propagation
Robert Hardy (community): Needs Fixing
Launchpad code reviewers: Pending requested
Diff: 337 lines (+36/-145)
6 files modified
lib/lp/archivepublisher/archivegpgsigningkey.py (+0/-27)
lib/lp/archivepublisher/tests/archive-signing.txt (+13/-61)
lib/lp/archivepublisher/tests/test_archivegpgsigningkey.py (+17/-17)
lib/lp/soyuz/model/archive.py (+0/-8)
lib/lp/soyuz/stories/webservice/xx-archive.txt (+1/-1)
lib/lp/soyuz/tests/test_archive.py (+5/-31)
Revision history for this message
Thomas Ward (teward) wrote :

This could be solved by https://bugs.launchpad.net/launchpad/+bug/1331914 I think?

Revision history for this message
Colin Watson (cjwatson) wrote :

They're related, but I'd rather consider that bug as a dependency of this one (that is, first add the capability, then later roll over everything still using 1024-bit keys in bulk).

Revision history for this message
Olly Betts (ojwb) wrote :

Perhaps as an intermediate step deleting all PPAs for a user/team could be made to also delete their PPA key if it's shorter than what's currently being created for new PPAs? Then at least a user/team could delete their PPA(s) and recreate them rather than having to create a new user or team to get a secure PPA key.

Colin Watson (cjwatson)
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
buhtz (buhtz) wrote :

Dear Mr. Watson,
are there any plans to work on that issue?

Revision history for this message
Olly Betts (ojwb) wrote :

> there is no way for an existing launchpad user to create a PPA with gpg keys that meet modern key size recommendations, without creating a new launchpad ID entirely (problematic for other reasons).

Clearly not ideal, but as a workaround creating a new team and then a PPA for that team gives you a PPA with a new key.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.