Workaround for "Signature Key Uses Weak Algorithm"

[igorpecovnik]

Description

Due to crypto policy update, apt now (since v2.7.13, see the commit) requires repositories to be signed using one of the following public key algorithms:

• RSA with at least 2048-bit keys
• Ed25519
• Ed448

Affected: Ubuntu Oracular when adding Mesa PPA.

More info
https://ubuntuhandbook.org/index.php/2024/04/workaround-apt-warning-signature-key-uses-weak-algorithm/

Jira reference number AR-2359

How Has This Been Tested?

• https://github.com/armbian/os/actions/runs/9434613892

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• Any dependent changes have been merged and published in downstream modules

[ColorfulRhino]

Since this is a security warning, I would not disable it. Especially since this file /etc/apt/apt.conf.d/99weakkey-warning will then be there in the user's system even if we delete the workaround again. I'd rather ping the people upstream to use stronger signing keys.

Which ppas are affected? If it's the ones from @amazingfate it should be good if they harden their keys :)

[igorpecovnik]

Which ppas are affected?

oibaf mesa

I'd rather ping the people upstream to use stronger signing keys.

probably @toobaz

https://launchpad.net/~oibaf/+archive/ubuntu/graphics-drivers

[igorpecovnik]

Since this is a security warning, I would not disable it.

It is "still accepting it". But I agree doing this is not the best practice.

[ColorfulRhino]

Which ppas are affected?

oibaf mesa

I'd rather ping the people upstream to use stronger signing keys.

probably @toobaz

https://launchpad.net/~oibaf/+archive/ubuntu/graphics-drivers

I see. I would ask them and wait one or two weeks for a reply. If they don't answer, we can think about this approach.

If you @igorpecovnik don't have an Ubuntu account to see their email contact or to file a bug/question via launchpad, I can do that 👍

[rpardini]

Clearly a mis-timed land on Oracular; since Canonical runs Launchpad, they could've ensured their own PPA repos would be signed with the algos they now require. I'd simply wait, I'd bet any rebuild on the PPA will cause updates, and oibaf builds a lot.

[toobaz]

probably @toobaz

Sorry, I'm confused, why me?

[igorpecovnik]

Sorry, I'm confused, why me?

It was a blind guess that you are a maintainer of the PPA in question :) Apologise for the noise.

[ColorfulRhino]

Seems like this will fix itself automatically before the warning turns into an error:
https://answers.launchpad.net/launchpad/+question/809194

All the affected PPAs already have a new rsa4096 key generated for them. The only remaining things to do are to resign all the affected PPAs with the old and new keys and then update Launchpad to serve the only the new key.

So no need to interfere on our side.

[igorpecovnik]

Yeah, this hack can be closed.