Ubuntu
apt package

[FFe] APT 24.04 crypto policy update

Bug #2055193 reported by Julian Andres Klode
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Undecided
Unassigned
gnupg2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I don't know if this will land before the feature freeze but I'm filing this in any case:

Our goal for 24.04 is to reject 1024-bit RSA repository signing keys. Work is ongoing in Launchpad to allow dual-signing PPAs and then resign all PPAs with a 4096-bit key.

This needs the following changes:

1) The gnupg upstream commit for https://dev.gnupg.org/T6946 needs to be backported. This is applying fine and in the package already, but the test suite fails with issues that look weirdly unrelated.
2) APT needs to learn to pass the argument if supported
3) APT needs to learn to interpret the output
4) APT possibly may have to learn to issue warnings instead of errors for weak keys and pass the URL to the gpgv method to allow 1024-bit RSA keys over TLS connections, in case there are unforeseen issues with the PPA migration.

Signing key policy: We would like to adopt a signing key policy of

rsa>2048,ed25519,ed448

As a result we would like to reject

- RSA keys below 2048 bits
- DSA keys
- Unsafe ECC keys:
  - NIST P-{256,384,521}
  - Brainpool P-{256,384,512}
  - secp256k1

Notes:
- DSA keys are not possible to use anymore due to the deprecation of SHA1 that happened years ago
- NIST and Brainpool and secp256k1 are not very popular, https://safecurves.cr.yp.to/ lists all of them as unsafe. It is believed they have backdoors. Some FIPS customers may prefer them over Ed25519 and Ed448 as they have been approved longer, so it's possible fips support packages could reenable them by setting the correct apt.conf setting in a snippet.

Timing wrt feature freeze and launchpad changes:

Launchpad changes won't be landing before feature freeze and it will take some more weeks to resign the repositories, hence we need to do uploads after FF to enable the error by default even if we ship the functionality before it.

See original description
Julian Andres Klode (juliank)
description: updated
description: updated
Julian Andres Klode (juliank)
Changed in gnupg (Ubuntu):
status: New → Fix Committed
affects: gnupg (Ubuntu) → gnupg2 (Ubuntu)
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Since it's past Feature Freeze and I see that the apt task is still New, I suppose looking at this FFe still makes sense, right?

I think this feels a bit like 'a lot' considering the ongoing time_t transition in the archive. What's the status of the timeline for Launchpad? Do we have the required apt changes staged and building somewhere already?

Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

Sorry Łukasz, this has landed in 2.7.13 in proposed back in February, with the caveat that it is a warning for now. This will essentially close the bug and we should probably consider the FFe to be switching that to an error once everything landed. Arguably some consider any of that work a bug fix and not a feature :)

Changed in apt (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.4.4-2ubuntu15

---------------
gnupg2 (2.4.4-2ubuntu15) noble; urgency=medium

  * Also drop build dependency on libcurl4-gnutls-dev.

 -- Matthias Klose <email address hidden> Thu, 07 Mar 2024 10:32:56 +0100

Changed in gnupg2 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.7.14

---------------
apt (2.7.14) unstable; urgency=medium

  [ Steve Langasek ]
  * Support building without gnutls
  * Add an artificial Conflicts: against libnettle8
    to force upgrades in launchpad buildd chroots

  [ David Kalnischkies ]
  * Handle EINTR in the static FileFd::Write overload
  * Remove non-existent Debug::BuildDeps from apt.conf(5)
  * Parse unsupported != relation in dependencies

  [ Frans Spiesschaert ]
  * Dutch program translation update (Closes: #1065513)
  * Dutch manpages translation update (Closes: #1065517)

  [ Wesley Schwengle ]
  * Update documentation for apt-get upgrade with pkg arg (Closes: #1065831)
  * Update documentation for apt upgrade with pkg arg (Closes: #1065831)
  * Include Dutch translation for apt/apt-get upgrade documenation update
  * Update Graphviz URL to https://graphviz.org/
  * Update VCG tool URI to new location
  * s#http://bugs.debian.org/src/#https://bugs.debian.org/src#

  [ Julian Andres Klode ]
  * pkgTagFile::Jump: Use lookback buffer to rejump to current position
    (Closes: #1067440)
  * debrecords: Do not reparse if given same location (Closes: #1067440)
  * Revert "debrecords: Do not reparse if given same location"

 -- Julian Andres Klode <email address hidden> Fri, 22 Mar 2024 11:11:44 +0100

Changed in apt (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.