APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
or 2.4.4 with a backport from the 2.4 branch, requires repositories
to be signed using one of
- RSA keys of at least 2048 bit
- Ed25519
- Ed448
Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release,
which was the main driver to do the change *now*.
If you operate third-party repositories using different key
algorithms, now is your time to migrate before you get hit
with an error.
For the Ubuntu perspective, feel free to check out the discourse
post:
https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854
Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release
APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
or 2.4.4 with a backport from the 2.4 branch, requires repositories
to be signed using one of
- RSA keys of at least 2048 bit
- Ed25519
- Ed448
Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release,
which was the main driver to do the change *now*.
On Wed, 2024-02-28 at 20:20 +0100, Julian Andres Klode wrote:
APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
or 2.4.4 with a backport from the 2.4 branch, requires repositories
to be signed using one of
- RSA keys of at least 2048 bit
- Ed25519
- Ed448
Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release,
which was the main driver to do the change *now*.
If you operate third-party repositories using different key
algorithms, now is your time to migrate before you get hit
with an error.
For the Ubuntu perspective, feel free to check out the discourse
post:
https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854
Hi,
Could I be pointed to the public conversation, any plans or bug reports related to this
update and transition etc. for affected users?
Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release
Perhaps the announcement should have been sent earlier than 28th Feb then. Or
is there a mistake and they will become errors at a later date?
APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
requires repositories
to be signed using one of
- RSA keys of at least 2048 bit
- Ed25519
- Ed448
Any other keys will cause warnings. These warnings will become
errors in March
I talked to David in #debian-devel and had a look at apt commit 50e3fee26a. This change requires a version of gpgv with support for the --assert-pubkey-algo commandline argument. The version of gnupg2 in unstable or
experimental does not include this, so it seems we cannot currently test this in Debian.
Furthermore, if you really need support for repositories with fewer RSA bits even after a new version of gnupg2 lands in Debian, you can change the apt configuration APT::Key::Assert-Pubkey-Algo which has a default value of ">=rsa2048,ed25519,ed448" to something else or set it to the empty string
to entirely disable this functionality.
Maybe this helps someone.
It does - but also makes me wonder: is this going to affect Debian users
with 3rd party repositories when they upgrade to trixie? (or is that not
yet known?)
(release-notes do say to remove all 3rd party packages before upgrades
but i suspect that is ignored: helpful to provide a heads-up anyway)
In theory. I don't know if there are any statistics on 'popular'
3rdparty repositories and their keys. But assuming they're doing key
Hm. My own private repo should be ok (3072R), but my Launchpad PPAs incidentally are not okay (1024D).
Since this comes from Canonical, they really should message all
affected Launchpad users and tell them how to rotate their PPAs’ keys
(I vaguely recall searching for that and not finding it once).
In theory. I don't know if there are any statistics on 'popular'
3rdparty repositories and their keys.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 29:51:50 |
Calls: | 6,707 |
Files: | 12,239 |
Messages: | 5,352,934 |