[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: New requirements for APT repository signing
From:       RL <richard.lewis.debian () googlemail ! com>
Date:       2024-03-03 23:20:52
Message-ID: 86msrec36z.fsf () simplex ! rtf ! org ! uk
[Download RAW message or body]

Johannes Schauer Marin Rodrigues <josch@debian.org> writes:

>> APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,

>>  requires repositories
>> to be signed using one of
>> 
>> - RSA keys of at least 2048 bit
>> - Ed25519
>> - Ed448
>> 
>> Any other keys will cause warnings. These warnings will become
>> errors in March

> I talked to David in #debian-devel and had a look at apt commit 50e3fee26a.
> This change requires a version of gpgv with support for the
> --assert-pubkey-algo commandline argument. The version of gnupg2 in unstable or
> experimental does not include this, so it seems we cannot currently test this
> in Debian.
>
> Furthermore, if you really need support for repositories with fewer RSA bits
> even after a new version of gnupg2 lands in Debian, you can change the apt
> configuration APT::Key::Assert-Pubkey-Algo which has a default value of
> ">=rsa2048,ed25519,ed448" to something else or set it to the empty string
> to entirely disable this functionality.
>
> Maybe this helps someone.

It does - but also makes me wonder: is this going to affect Debian users
with 3rd party repositories when they upgrade to trixie? (or is that not
yet known?)

(release-notes do say to remove all 3rd party packages before upgrades
but i suspect that is ignored: helpful to provide a heads-up anyway)

Seems like a candidate for the release-notes: - happy to help draft, but
would need some information:.

- Does this affect 'official' debian repostitories? (i assume not)
- Does this affect local repositories built with reprepro or other tools in debian?

- If i am using 3rd party/local (reprepro etc) repositories with "old"
signatures, will they stop working (assume a dist upgrade to trixie with
new enough apt, gpg etc)

- How will this affect upgrades: will apt error out or just keep
  packages back?

- how would a user with 3rd party repos check if they are affected?
(is there a command/file to check that shows the algorithm used for each repository enabled?)

- how to disable this feature?

I assume: if you need to re-enable a 3rd party repo with an older
signature algorithm, you will need to add a file in /etc/apt/apt.conf.d/
(or use the -o option to apt) to set APT::Key::Assert-Pubkey-Algo to the
algorithm used -- is there a way to say ">=rsa2048,ed25519,ed448 or X"
where X is the algorithm needed to allow some repository to continue to
be used? can we turn this off for just one un-updated repo and keep the
check for everything else? or is the only workaround to set the option
to the empty string?

or is there a NEWS.Debian for apt we can point to that explains all this?

[prev in list] [next in list] [prev in thread] [next in thread]