On Wed, 2024-02-28 at 20:20 +0100, Julian Andres Klode wrote:

APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
or 2.4.4 with a backport from the 2.4 branch, requires repositories
to be signed using one of

- RSA keys of at least 2048 bit
- Ed25519
- Ed448

Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release,
which was the main driver to do the change *now*.

If you operate third-party repositories using different key
algorithms, now is your time to migrate before you get hit
with an error.

For the Ubuntu perspective, feel free to check out the discourse
post:

https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854

Hi,

Could I be pointed to the public conversation, any plans or bug reports related to this
update and transition etc. for affected users?

Thanks.

Regards

Phil

--
Playing the game for the games sake.

Web:

* Debian Wiki: https://wiki.debian.org/PhilWyett
* Website: https://kathenas.org
* Social Debian: https://pleroma.debian.social/kathenas/
* Social Instagram: https://www.instagram.com/kathenasorg/



-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEcKCsRax3nv6E9jrtckqptS8CTIsFAmXfz+oACgkQckqptS8C TIu0ihAAh84N+RF9M6BgNG1NV5NhDyag7PYP3vqAnsZVBpAqyCaLo2wA6rlS56Z3 Bxz1MJdXfBjdZaxj/7WU0/uOAS1Jr6Ei7MAqm1hDtmyf8nfVxk4Vi64yGP9InHeP bEzvwSxdeSXWMoBTjQtmOueqDUC7sxQuGZUFsYkw12EFdI5F5q77wwNW0qQE/+En ue38LEn8C7z3BxrgNwR4yioki3XgpmxSMb6DzNdK4V68Xxstj3+U4wzc+jZ9YXmr VppUR33OG5XJDeWsKxjn7LYYBvuXox+zcv9Is/zDK5FuHbwQtICEkjG014IokLOW RMnZOOcRXmo9rxmKyDunMDdSmn+/i4QykWwIHqwNnUzB8uf14SVD3I1lgesv+TaV MD+zHAQL2lnBIPJFgJ1zVZyJR0Sy+v+6QK00nchLh7hVa9fMVUfrXQl8GNMq/xvz x+qUZsZzRzLtdVAwfaAgcUo56d8sNrot0z6oP051nJTI7aDdZb0d2hcG+19WRzp/ ND/kb6gWU3sr2ShCCB8ToMV8xVJawWIPbKkCa+d37vhwfOzzpq9wxWgEcA6q49sO p76/KUxx0nBc3wi80bV9AZ9UypxXCCd4O0weEc1HNWMKBR9ibUm0wlMabZnO0K9V
z0a5C

Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release

Perhaps the announcement should have been sent earlier than 28th Feb then. Or is there a mistake and they will become errors at a later date?

Best

--
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei

https://ltworf.codeberg.page/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmXhGx4ACgkQs6fPDIAY hs/ReQ/+IP0QGNuS0zeQfvm+IsAL+IF/2s2Qp5i8rv6IkAi58iUP4xjktpuZ5jgE sP+gV1kz9ISwPjw529Df4ZCI2FD4GtRNUdsBdTL/AppV7rEI+o0sc9WkZzHhQFQV FUeaJ8+B73Sq1nRC/TzPPZ9CXyKYVHbWpfo3swGHchH6XbQt+JqWdLVYKHm5HQff ceQtBvkBGKyvl5wHT4e/1BUg2y3pZAF6ZT7ENaSgk5+aFPm4bzfg2vNiTcQ2zb1b LxxGN12OY7yEyzFgEt1iwN63DqLYs4IJVTI4yaoyT8QyehFoM+fnyUexx4Qyg/uz V6RhChMEEq28cugOExuQjCtCUOAAzuQoXyCCUjKJTtH2Q8LQu55o1xZFr44fxoQ4 4VT5dySCM0RuRm654JiClXaiUxw/LtWWxeWSa7WbqMG3DbYjW32clarPO2NXJ97d 67kNQs8NH8V1MVAVZk5bb7Ovcgf8mv7jtSENAwNcW0TkeZHthWNks0/NPL7yU9kv mPTwftH4yNLA4o/q6OXSVvCS+OoFZY0kjqjmNnO8eZAvI24TphKXxFjJ402JiBMV pjJMmPq+8srAFYx5TnjKOL4O3nemKe2aCeynDyrNASEng/4QcNMaWduaXDC9IY4Q 534U8rAr/0kt+9U4kDhgyhWxKXy9tRoBQmNWblQBCATethX7Cx0=
=bYor
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Quoting Julian Andres Klode (2024-02-28 20:20:12)

APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
or 2.4.4 with a backport from the 2.4 branch, requires repositories
to be signed using one of

- RSA keys of at least 2048 bit
- Ed25519
- Ed448

Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release,
which was the main driver to do the change *now*.

I talked to David in #debian-devel and had a look at apt commit 50e3fee26a. This change requires a version of gpgv with support for the --assert-pubkey-algo commandline argument. The version of gnupg2 in unstable or experimental does not include this, so it seems we cannot currently test this in Debian.

Furthermore, if you really need support for repositories with fewer RSA bits even after a new version of gnupg2 lands in Debian, you can change the apt configuration APT::Key::Assert-Pubkey-Algo which has a default value of ">=rsa2048,ed25519,ed448" to something else or set it to the empty string
to entirely disable this functionality.

Maybe this helps someone.

Thanks!

cheers, josch
--==============168823902485033113=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEElFhU6KL81LF4wVq58sulx4+9g+EFAmXhcwIACgkQ8sulx4+9 g+E6Rw//S+mFyNqqnx/D1TMO4+QwrF32HQxUeS4MMPaNtytJF/a8eZ/9fxSfi6Nx vOPjkmwC54vmS5TLCX0PnITLrLQngczhqk12d8G+ShOmw7Uy2FSbym/S7plM3Nm/ aSUUEdOn9SAjagAlsThFNlk5JNaThRNpdKtnU4/ai00bMOB+nYgpUuCmftxXzZTj jDhzF5aFQ3nL3BxZ5emWqLpif9DwFymlEn0vgZwG+DQLY0Z5LxK+npzv26mpZeH9 DC8u7pFC3LIoTIEFhM5MeBI5xtDlklt9x9aQVPQZKJtpeflxsyL+yFis/nuBug64 iUuF6xLSSIroGggbpiuw7CzsRlmrHKMtyP07QrXAwuu5odc/3czQXod8R/HDY2s0 Mh3RGjtaHOVa9eYQUrE9pNhZoC93B03A97Df/3GywlpG9Z8V9MRMz0DjzBoo8PYj fylK6kPNGHxvr0vfm6RsvTLSvPEGyG07tl6xPpxxOoqiVWTvkiEow5TORpbbDT80 stwl+IPjywGfFdZe9T+l/S4XiDeI6o3OjmD/LmDQRjjHL2k6xV07F0Ghyz7Z7OYK djo9HBq+YxuGXmJLin4wocQQ5hA2PZ5Qi0REwmIWBxzS5rre4rcKPm+jlD6BxDG0 XXXCYphmXUCVANcmtPzwbPc56cceNRUrS9Pw4uCPsVKN1sq0OXY=
=uEkq
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Feb 29, 2024 at 12:29:40AM +0000, Phil Wyett wrote:

On Wed, 2024-02-28 at 20:20 +0100, Julian Andres Klode wrote:

APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
or 2.4.4 with a backport from the 2.4 branch, requires repositories
to be signed using one of

- RSA keys of at least 2048 bit
- Ed25519
- Ed448

Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release,
which was the main driver to do the change *now*.

If you operate third-party repositories using different key
algorithms, now is your time to migrate before you get hit
with an error.

For the Ubuntu perspective, feel free to check out the discourse
post:

https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854

Hi,

Could I be pointed to the public conversation, any plans or bug reports related to this
update and transition etc. for affected users?

Some more information are in the GnuPG feature request:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042391 (July 2023) https://dev.gnupg.org/T6946 (Jan 2024)

Original announcement at

https://lists.ubuntu.com/archives/ubuntu-devel/2024-January/042883.html

Since then revised after rounds of feedback on internal specifications
and meetings.

Not sure what transition you are looking for, that's up for you
repository owners to figure out.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmXhmAcACgkQb6RY3R2w P3Ek2Q//YgWJeU2p0rLKPHWVNf01RLd53R3RrRpCB4W9U/kxC34dakRCT/IgcjfK TxmfG1erobSTBe2OWr81kwZ4JUmmhiov/EjkdJNMRbq7ycS3Rvuk6zxu2UTocslV D545GYveEdgUQIzRmsmh2UJmRFKViXR3SSs6BZ3ov7CWokiD1Qx5jVsZ5qfB/N+m q0weyz5aBDrph/bHl8Af03r74WMxchAr23uwQg2wBT4nRAXRYguFpsBD1zU6t2ph /FBZIP872ZDlozZIYQZXn/HdhPGhpclVESzxQ8xLdw+SDesz81fG1sduGReY8xuL azcRr1OGCOOmCez6m049A4pSAPIHBKPBXbiE8z1kCng4KXoM/T5Y+qf9LlKSnZEP wKxf/XJHs4QNDQRYmyEapZ6b6m/eVMJeigEEc5kBKJma1EyHcFZTfl+8AIP6O0PB StT4HXmInrjkndSrI3seyQnYdJpyFKfAcg1yZt629p+DMXrCmvx3zrRUVDdp67rc OqYM2AaKCTXel/YcyqBZMg7HHzRcHOeKRgzOUxnhF29V+XyZLz36x5IVnIvKUxCD r/QPdNnZSd4lf9JJO3SsFTbFSZQv1RQNr8gSvGA3TV0HQ2Cwm031oxzezi+XlMwX AuHosH7wiJXf5Jj0jefDgjFhEBp24VRyEbf2qlX25j50sXYK/7s=
=31vR
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Ori

On Fri, Mar 01, 2024 at 01:02:38AM +0100, Salvo Tomaselli wrote:

Any other keys will cause warnings. These warnings will become
errors in March as we harden it up for the Ubuntu 24.04 release

Perhaps the announcement should have been sent earlier than 28th Feb then. Or
is there a mistake and they will become errors at a later date?

There is no mistake, but the ubuntu folks had more heads up due
to an email on ubuntu-devel, and internal meetings at Canonical.

In any case, as the email says in many fewer words:

for Debian this doesn't take effect now unless we
ship the patch in gnupg in 2.4 (either merging my commit to backport
to 2.4.4 or when 2.4.5 lands) which is in experimental; unstable
is still tracking 2.2 and might for the rest of the year.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmXhlxEACgkQb6RY3R2w P3HTHQ//TU+NI/Kvq9VtX3BmaHnJ4EYfMQR7WyGHjcOKrT1nz+DwjXdG2JyGihxa 37Me7jn7OvHIEPLdpcUuUlR2PgrwWxV6bm8nd8KpfdWWL/41lGeEHVEwg9gthqwU 5hr08nf+BaO0DT/stSXdX7v+kdlZPfQCoiZ7yFhRoWx6zGPSPWQdvvoL9PJ4rZcV WYOy2QgF8UUcBmRUZtUZjE8GmrURoiRiRcyzV8cFLfa2pbYz1EdwvqjNq6obiEZJ 9vjKyjNrchw8WsevDonqG1XCeBam2bthPpFRGoEGxJkS5GE4UdVTbkw1blA/RT7B lsbvThPNSFsp0dBIEnKZLMyeSQhbKYOkrGszbQz9IREH3iqqYygYiaTg0yi5SPZg ytrsK+A+obh2X5I/3v8D1LfWWsVublpkEbbr2q5D6m7lqEkMxr94O/YQY7h9jjwg tj4iRGoQ+rRbOJBHnv/6Wit4f2/Sa6aBvzUOqr5UXp4EwSW6WBY9e2MBAF+f3SJc klZGuukSKWTqMIu0Vs6L+uzB6JHdQqwkq5pOE+TwjJUFCqph29F2aikOiM+C+aZX WFFpTvf/RhBTP2G+MfSsmSW0UedQT+LYzkt4yNxLXD386hYee12EnDYPuCJBl7Ab 4IneHONoWWdyMoCvIofXTeTSPwzShbpGZ3WqCyzaVeBHOP2f9c8=
=7uOs
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Ori

Johannes Schauer Marin Rodrigues <josch@debian.org> writes:

APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,

requires repositories
to be signed using one of

- RSA keys of at least 2048 bit
- Ed25519
- Ed448

Any other keys will cause warnings. These warnings will become
errors in March

I talked to David in #debian-devel and had a look at apt commit 50e3fee26a. This change requires a version of gpgv with support for the --assert-pubkey-algo commandline argument. The version of gnupg2 in unstable or
experimental does not include this, so it seems we cannot currently test this in Debian.

Furthermore, if you really need support for repositories with fewer RSA bits even after a new version of gnupg2 lands in Debian, you can change the apt configuration APT::Key::Assert-Pubkey-Algo which has a default value of ">=rsa2048,ed25519,ed448" to something else or set it to the empty string
to entirely disable this functionality.

Maybe this helps someone.

It does - but also makes me wonder: is this going to affect Debian users
with 3rd party repositories when they upgrade to trixie? (or is that not
yet known?)

(release-notes do say to remove all 3rd party packages before upgrades
but i suspect that is ignored: helpful to provide a heads-up anyway)

Seems like a candidate for the release-notes: - happy to help draft, but
would need some information:.

- Does this affect 'official' debian repostitories? (i assume not)
- Does this affect local repositories built with reprepro or other tools in debian?

- If i am using 3rd party/local (reprepro etc) repositories with "old" signatures, will they stop working (assume a dist upgrade to trixie with
new enough apt, gpg etc)

- How will this affect upgrades: will apt error out or just keep
packages back?

- how would a user with 3rd party repos check if they are affected?
(is there a command/file to check that shows the algorithm used for each repository enabled?)

- how to disable this feature?

I assume: if you need to re-enable a 3rd party repo with an older
signature algorithm, you will need to add a file in /etc/apt/apt.conf.d/
(or use the -o option to apt) to set APT::Key::Assert-Pubkey-Algo to the algorithm used -- is there a way to say ">=rsa2048,ed25519,ed448 or X"
where X is the algorithm needed to allow some repository to continue to
be used? can we turn this off for just one un-updated repo and keep the
check for everything else? or is the only workaround to set the option
to the empty string?

or is there a NEWS.Debian for apt we can point to that explains all this?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-03-03, RL <richard.lewis.debian@googlemail.com> wrote:

It does - but also makes me wonder: is this going to affect Debian users
with 3rd party repositories when they upgrade to trixie? (or is that not
yet known?)

In theory. I don't know if there are any statistics on 'popular'
3rdparty repositories and their keys. But assuming they're doing key
rolls at 5-10 years intervals or less, it should be okay.
Or just if the 3rdparty repository doesn't have decade(s) long history.

(release-notes do say to remove all 3rd party packages before upgrades
but i suspect that is ignored: helpful to provide a heads-up anyway)

But that doesn't remove the old imported keys from the keyring. Which I
guess is the main issue is a combination of things:
- People never reinstall their system
- Someone 10 years ago added a now insecure key to their apt and forgot about it.
- Modern hardware might be able to in the not too distant future
recreate matching keys...
Even if said repository is now dead and reoved from the keyring. If just
one of those were not valid, we could probably keep ignoring the issue.

/Sune

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sune Vuorela dixit:

In theory. I don't know if there are any statistics on 'popular'
3rdparty repositories and their keys. But assuming they're doing key

Hm. My own private repo should be ok (3072R), but my Launchpad PPAs incidentally are not okay (1024D).

Since this comes from Canonical, they really should message all
affected Launchpad users and tell them how to rotate their PPAs’ keys
(I vaguely recall searching for that and not finding it once).

bye,
//mirabilos
--
Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~
(as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Mar 4, 2024 at 8:40 AM Thorsten Glaser <tg@debian.org> wrote:

Hm. My own private repo should be ok (3072R), but my Launchpad PPAs incidentally are not okay (1024D).

Since this comes from Canonical, they really should message all
affected Launchpad users and tell them how to rotate their PPAs’ keys
(I vaguely recall searching for that and not finding it once).

It is not possible to rotate your PPA keys yourself, but Canonical is
handling it according to https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854

Thank you,
Jeremy Bícha

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Mar 04, 2024 at 07:47:08AM -0000, Sune Vuorela wrote:

In theory. I don't know if there are any statistics on 'popular'
3rdparty repositories and their keys.

I suspect src:extrepo-data is a good starting point for anyone interested
in generating such statistics...


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

The moon landing 50 years ago was paid by taxes, while Bezos space trip was paid by not paying taxes.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmXmA94ACgkQCRq4Vgaa qhyddQ/9GF/s0mJ3fjal3zxQOG1wanuXVK2MO/NMT3I81Pv7AX/sYdqnRsejw69f 2vOUBUKbr2gWcpVFG/b/pEKwixfGgKJcJwCeO0YhO6ShiwT1tangvBd6kQYuN+yx Jcd+033qKj7FGwR8XUfWmyK5sd/iopCqhDAzVIRZkj1lYfG0+XgteNcpOWadST7B 7LyHcuwMJ8Jx35QW3V4Gkbta/QuQQuvujGecYJ0hh7HCs06GrgHbSBQdhyf9gL3k 52NNudMQcSO68Q0tOfFRufM8oDKE1uQ5uKVS/ln52J5pny8UXqzBPvuUaR9VRfn0 ALHeiLoNIGjfpOVlPsB+6/PfOEO/n6vfCdIj7Bh253le6VQc14MOhLoLknriXhGf qOTy/3cWitpspvLkt0jXvWPTUSCGbTSvqsLNAIAMtE+XnZK2zjDZMsYHwBeV/sIT VWeJq3maJuhFos5g9q/BWCjLeftrXVPYfLo8rwZ3ONwrwAMJhdN9reMoPyZuYPf5 J3WzPRU/FHDzTI2aBdZSo1X/B+MVMqMjY72v/cB8OYr6NCP0ld0A9zsbMJBI53AA
liuc9B+/pv