Ubuntu
ubuntu-keyring package

Ship 2018 Archive key in xenial's ubuntu-keyring

Bug #1881278 reported by Dimitri John Ledkov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-keyring (Ubuntu)
Invalid
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * Xenial systems will not be able to debootstrap Groovy archives when it finally switches to be signed by single 2018 key. To have support for xenial to operate against Groovy+ archives it needs access to 2018 archive key. Ship it.

[Test Case]

 * Start xenial chroot or lxd container.
 * Observe that 4 keys are trusted - the original 2004 archive & cdimage, 2012 archive & cdimage

# apt-key list --fingerprint
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
      Key fingerprint = 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
uid Ubuntu Archive Automatic Signing Key <email address hidden>
sub 2048g/79164387 2004-09-12

pub 4096R/C0B21F32 2012-05-11
      Key fingerprint = 790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

pub 4096R/EFE21092 2012-05-11
      Key fingerprint = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

pub 1024D/FBB75451 2004-12-30
      Key fingerprint = C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
uid Ubuntu CD Image Automatic Signing Key <email address hidden>

  * Install the new ubuntu-keyring package
  * Observe that 5 keys are now trusted, including the 2018 archive key

# apt-key list --fingerprint
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
      Key fingerprint = 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
uid Ubuntu Archive Automatic Signing Key <email address hidden>
sub 2048g/79164387 2004-09-12

pub 4096R/C0B21F32 2012-05-11
      Key fingerprint = 790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

pub 4096R/EFE21092 2012-05-11
      Key fingerprint = 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

pub 1024D/FBB75451 2004-12-30
      Key fingerprint = C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
uid Ubuntu CD Image Automatic Signing Key <email address hidden>

pub 4096R/991BC93C 2018-09-17
      Key fingerprint = F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid Ubuntu Archive Automatic Signing Key (2018) <email address hidden>

  * Dist upgrade to bionic
  * Observe that only 3 keys are trusted the 2012 cdimage&archive + 2018 key, and that none of them are in /etc/apt/trusted.gpg but are key snippets in /etc/apt/trusted.gpg.d/

# apt-key list
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <email address hidden>

[Regression Potential]

 * Adding additional new trust key can trigger support request (aka why are you adding this key on xenial). The reason to add this key on xenial, is for xenial to allow securely debootstrap and operate on Groovy+ repositories which are about to drop 2012 key signatures.

[Other Info]

 * Bionic switched from shipping keys in /etc/apt/trusted.gpg keyring, to individual snippets. Thus xenial's upload that adds the future key to /etc/apt/trusted.gpg should also remove it, during upgrade to bionic. To ensure that the systems upgraded from xenial to bionic, look the same as those that are fresh bionic installations.

Dimitri John Ledkov (xnox)
Changed in ubuntu-keyring (Ubuntu):
status: New → Invalid
Changed in ubuntu-keyring (Ubuntu Xenial):
status: New → Triaged
Dimitri John Ledkov (xnox)
Changed in ubuntu-keyring (Ubuntu Xenial):
status: Triaged → In Progress
Francis Ginther (fginther)
tags: added: id-5ed0fe766b5a0d2127bda2d0
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted ubuntu-keyring into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2012.05.19.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-keyring (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-keyring/2012.05.19.1)

All autopkgtests for the newly accepted ubuntu-keyring (2012.05.19.1) for xenial have finished running.
The following regressions have been reported in tests triggered by the package:

apt/1.2.32ubuntu0.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/xenial/update_excuses.html#ubuntu-keyring

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

# apt install ubuntu-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  ubuntu-keyring
1 upgraded, 0 newly installed, 0 to remove and 90 not upgraded.
Need to get 18.4 kB of archives.
After this operation, 14.3 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 ubuntu-keyring all 2012.05.19.1 [18.4 kB]
Fetched 18.4 kB in 0s (194 kB/s)
(Reading database ... 12323 files and directories currently installed.)
Preparing to unpack .../ubuntu-keyring_2012.05.19.1_all.deb ...
Unpacking ubuntu-keyring (2012.05.19.1) over (2012.05.19) ...
Setting up ubuntu-keyring (2012.05.19.1) ...
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <email address hidden>" not changed
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key <email address hidden>" not changed
gpg: key C0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <email address hidden>" not changed
gpg: key EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>" not changed
gpg: key 991BC93C: public key "Ubuntu Archive Automatic Signing Key (2018) <email address hidden>" import
ed
gpg: Total number processed: 5
gpg: imported: 1 (RSA: 1)
gpg: unchanged: 4

Correctly tested that there were 4 keys, 5 keys including the 2018 one after installing the upgraded, and that just the 3 keysnippets are present upon dist-upgrade to bionic.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-keyring - 2012.05.19.1

---------------
ubuntu-keyring (2012.05.19.1) xenial; urgency=medium

  * Add 4096R/991BC93C Ubuntu Archive Automatic Signing Key (2018)
    <email address hidden> to ubuntu-archive-keyring. LP: #1881278

 -- Dimitri John Ledkov <email address hidden> Fri, 29 May 2020 12:58:19 +0100

Changed in ubuntu-keyring (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for ubuntu-keyring has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.