[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: New requirements for APT repository signing
From: RL <richard.lewis.debian () googlemail ! com>
Date: 2024-03-03 23:20:52
Message-ID: 86msrec36z.fsf () simplex ! rtf ! org ! uk
[Download RAW message or body]
Johannes Schauer Marin Rodrigues <josch@debian.org> writes:
>> APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
>> requires repositories
>> to be signed using one of
>>
>> - RSA keys of at least 2048 bit
>> - Ed25519
>> - Ed448
>>
>> Any other keys will cause warnings. These warnings will become
>> errors in March
> I talked to David in #debian-devel and had a look at apt commit 50e3fee26a.
> This change requires a version of gpgv with support for the
> --assert-pubkey-algo commandline argument. The version of gnupg2 in unstable or
> experimental does not include this, so it seems we cannot currently test this
> in Debian.
>
> Furthermore, if you really need support for repositories with fewer RSA bits
> even after a new version of gnupg2 lands in Debian, you can change the apt
> configuration APT::Key::Assert-Pubkey-Algo which has a default value of
> ">=rsa2048,ed25519,ed448" to something else or set it to the empty string
> to entirely disable this functionality.
>
> Maybe this helps someone.
It does - but also makes me wonder: is this going to affect Debian users
with 3rd party repositories when they upgrade to trixie? (or is that not
yet known?)
(release-notes do say to remove all 3rd party packages before upgrades
but i suspect that is ignored: helpful to provide a heads-up anyway)
Seems like a candidate for the release-notes: - happy to help draft, but
would need some information:.
- Does this affect 'official' debian repostitories? (i assume not)
- Does this affect local repositories built with reprepro or other tools in debian?
- If i am using 3rd party/local (reprepro etc) repositories with "old"
signatures, will they stop working (assume a dist upgrade to trixie with
new enough apt, gpg etc)
- How will this affect upgrades: will apt error out or just keep
packages back?
- how would a user with 3rd party repos check if they are affected?
(is there a command/file to check that shows the algorithm used for each repository enabled?)
- how to disable this feature?
I assume: if you need to re-enable a 3rd party repo with an older
signature algorithm, you will need to add a file in /etc/apt/apt.conf.d/
(or use the -o option to apt) to set APT::Key::Assert-Pubkey-Algo to the
algorithm used -- is there a way to say ">=rsa2048,ed25519,ed448 or X"
where X is the algorithm needed to allow some repository to continue to
be used? can we turn this off for just one un-updated repo and keep the
check for everything else? or is the only workaround to set the option
to the empty string?
or is there a NEWS.Debian for apt we can point to that explains all this?
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic