touch-packages team mailing list archive

Thread
Date

[Bug 1363480] [NEW] ubuntu-keyring imports the Ubuntu CD Signing Key as a key trusted by apt

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Philipp Kern <phil+launchpad@xxxxxxxxxxx>
Date: Sat, 30 Aug 2014 18:38:05 -0000
Reply-to: Bug 1363480 <1363480@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Please take this with a grain of salt as I'm not reporting it with a
clean trusty install at my fingertips.

ubuntu-keyring ships a /usr/share/keyrings/ubuntu-archive-keyring.gpg
file that contains the Ubuntu CD Signing Keys (old and new):

 % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg
pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key <ftpmaster@xxxxxxxxxx>
sub  2048g/79164387 2004-09-12
pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key <cdimage@xxxxxxxxxx>
pub  4096R/C0B21F32 2012-05-11 Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@xxxxxxxxxx>
pub  4096R/EFE21092 2012-05-11 Ubuntu CD Image Automatic Signing Key (2012) <cdimage@xxxxxxxxxx>

They end up being trusted by apt because the keyring is taken as the
initial trusted key set in /etc/apt/trusted.gpg. This is most likely not
what we want.

** Affects: ubuntu-keyring (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363480

Title:
  ubuntu-keyring imports the Ubuntu CD Signing Key as a key trusted by
  apt

Status in “ubuntu-keyring” package in Ubuntu:
  New

Bug description:
  Please take this with a grain of salt as I'm not reporting it with a
  clean trusty install at my fingertips.

  ubuntu-keyring ships a /usr/share/keyrings/ubuntu-archive-keyring.gpg
  file that contains the Ubuntu CD Signing Keys (old and new):

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key <ftpmaster@xxxxxxxxxx>
  sub  2048g/79164387 2004-09-12
  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key <cdimage@xxxxxxxxxx>
  pub  4096R/C0B21F32 2012-05-11 Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@xxxxxxxxxx>
  pub  4096R/EFE21092 2012-05-11 Ubuntu CD Image Automatic Signing Key (2012) <cdimage@xxxxxxxxxx>

  They end up being trusted by apt because the keyring is taken as the
  initial trusted key set in /etc/apt/trusted.gpg. This is most likely
  not what we want.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1363480/+subscriptions

Follow ups

[Bug 1363480] [NEW] ubuntu-keyring imports the Ubuntu CD Signing Key as a key trusted by apt
From: Philipp Kern, 2014-08-30

References

[Bug 1363480] [NEW] ubuntu-keyring imports the Ubuntu CD Signing Key as a key trusted by apt
From: Philipp Kern, 2014-08-30