Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workaround for "Signature Key Uses Weak Algorithm" #6708

Closed
wants to merge 1 commit into from
Closed

Conversation

igorpecovnik
Copy link
Member

@igorpecovnik igorpecovnik commented Jun 9, 2024

Description

Due to crypto policy update, apt now (since v2.7.13, see the commit) requires repositories to be signed using one of the following public key algorithms:

  • RSA with at least 2048-bit keys
  • Ed25519
  • Ed448

Affected: Ubuntu Oracular when adding Mesa PPA.

More info
https://ubuntuhandbook.org/index.php/2024/04/workaround-apt-warning-signature-key-uses-weak-algorithm/

Jira reference number AR-2359

How Has This Been Tested?

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • My changes generate no new warnings
  • Any dependent changes have been merged and published in downstream modules

@github-actions github-actions bot added size/small PR with less then 50 lines Framework Framework components labels Jun 9, 2024
@igorpecovnik igorpecovnik added 08 Milestone: Third quarter release Needs review Seeking for review labels Jun 9, 2024
@ColorfulRhino
Copy link
Collaborator

Since this is a security warning, I would not disable it. Especially since this file /etc/apt/apt.conf.d/99weakkey-warning will then be there in the user's system even if we delete the workaround again. I'd rather ping the people upstream to use stronger signing keys.

Which ppas are affected? If it's the ones from @amazingfate it should be good if they harden their keys :)

@igorpecovnik
Copy link
Member Author

igorpecovnik commented Jun 9, 2024

Which ppas are affected?

oibaf mesa

I'd rather ping the people upstream to use stronger signing keys.

probably @toobaz

https://launchpad.net/~oibaf/+archive/ubuntu/graphics-drivers

@igorpecovnik
Copy link
Member Author

igorpecovnik commented Jun 9, 2024

Since this is a security warning, I would not disable it.

It is "still accepting it". But I agree doing this is not the best practice.

@ColorfulRhino
Copy link
Collaborator

Which ppas are affected?

oibaf mesa

I'd rather ping the people upstream to use stronger signing keys.

probably @toobaz

https://launchpad.net/~oibaf/+archive/ubuntu/graphics-drivers

I see. I would ask them and wait one or two weeks for a reply. If they don't answer, we can think about this approach.

If you @igorpecovnik don't have an Ubuntu account to see their email contact or to file a bug/question via launchpad, I can do that 👍

@rpardini
Copy link
Member

rpardini commented Jun 9, 2024

Clearly a mis-timed land on Oracular; since Canonical runs Launchpad, they could've ensured their own PPA repos would be signed with the algos they now require. I'd simply wait, I'd bet any rebuild on the PPA will cause updates, and oibaf builds a lot.

@igorpecovnik igorpecovnik added Backlog Stalled work that needs to be completed and removed Needs review Seeking for review labels Jun 9, 2024
@toobaz
Copy link

toobaz commented Jun 9, 2024

probably @toobaz

Sorry, I'm confused, why me?

@igorpecovnik
Copy link
Member Author

Sorry, I'm confused, why me?

It was a blind guess that you are a maintainer of the PPA in question :) Apologise for the noise.

@ColorfulRhino
Copy link
Collaborator

ColorfulRhino commented Jun 25, 2024

Seems like this will fix itself automatically before the warning turns into an error:
https://answers.launchpad.net/launchpad/+question/809194

All the affected PPAs already have a new rsa4096 key generated for them. The only remaining things to do are to resign all the affected PPAs with the old and new keys and then update Launchpad to serve the only the new key.

So no need to interfere on our side.

@igorpecovnik
Copy link
Member Author

Yeah, this hack can be closed.

@igorpecovnik igorpecovnik deleted the AR-2359 branch November 10, 2024 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
08 Milestone: Third quarter release Backlog Stalled work that needs to be completed Framework Framework components size/small PR with less then 50 lines
Development

Successfully merging this pull request may close these issues.

4 participants