I believe there is a misunderstanding of the issue: 1. Yes, said archive is dual signed by two keys, one of them is 1024 rsa. 2. apt-add-repository for me added the strong 4096 rsa key in the sources.list.d file. It can be checked by just copying the key block out and feeding it into gpg, it shows it's a public key F911AB184317630C59970973E363C90F8F1B6217 rsa4096. 3. APT, when checking the InRelease file, trusts it (and it could only become trusted with the strong key signature, the only it knows), but also sees a second signature with a week algorithm. Emits a warning.
So, I only see a false warning for the user: the system is safe using the stronger key, and the legacy signature raises a warning that shouldn't be used anyway. But older systems that don't use 4096 rsa keys yet would see two signatures, one of them they trust (even if it's weak, HERE the warning if not rejection would be appropriate) and also another one that they don't trust since they don't know of it yet (that may raise a message that while the signature we trust is weak there seem to be a better one, go check the source). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys Status in software-properties package in Ubuntu: Confirmed Bug description: After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04, ‘apt update’ gives this warning: W: https://ppa.launchpadcontent.net/git- core/ppa/ubuntu/dists/noble/InRelease: Signature by key E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (rsa1024) But this PPA is dual-signed by two keys, only one of which is weak. add-apt-repository has chosen to install the rsa1024 key in sources.list.d. It should choose the rsa4096 key instead. $ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpgv … gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT gpg: using RSA key F911AB184317630C59970973E363C90F8F1B6217 gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F911 AB18 4317 630C 5997 0973 E363 C90F 8F1B 6217 gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT gpg: using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24 gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24 $ gpg --list-keys F911AB184317630C59970973E363C90F8F1B6217 E1DD270288B4E6030699E45FA1715D88E1DF1F24 pub rsa1024 2009-01-22 [SC] E1DD270288B4E6030699E45FA1715D88E1DF1F24 uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers pub rsa4096 2024-04-24 [SC] F911AB184317630C59970973E363C90F8F1B6217 uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers Context: https://discourse.ubuntu.com/t/new-requirements-for-apt- repository-signing-in-24-04/42854 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
