3. APT, when checking the InRelease file, trusts it (and it could only become trusted with the strong key signature, the only it knows), but also sees a second signature with a week algorithm. Emits a warning.
So, I only see a false warning for the user: the system is safe using the stronger key, and the legacy signature raises a warning that shouldn't be used anyway No, APT only issues warnings for keys that were actually used to verify a signature, so if you see a warning from APT, the key is still in your keyring. In 24.10 you can use `add-apt-repository --refresh-keys` to refresh all PPA keys and list any other keys. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/2065932 Title: Only adds the weak key for PPAs dual-signed with both weak and strong keys Status in software-properties package in Ubuntu: Invalid Bug description: After running ‘add-apt-repository ppa:git-core/ppa’ on Ubuntu 24.04, ‘apt update’ gives this warning: W: https://ppa.launchpadcontent.net/git- core/ppa/ubuntu/dists/noble/InRelease: Signature by key E1DD270288B4E6030699E45FA1715D88E1DF1F24 uses weak algorithm (rsa1024) But this PPA is dual-signed by two keys, only one of which is weak. add-apt-repository has chosen to install the rsa1024 key in sources.list.d. It should choose the rsa4096 key instead. $ curl 'https://ppa.launchpadcontent.net/git-core/ppa/ubuntu/dists/noble/InRelease' | gpgv … gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT gpg: using RSA key F911AB184317630C59970973E363C90F8F1B6217 gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F911 AB18 4317 630C 5997 0973 E363 C90F 8F1B 6217 gpg: Signature made Thu 16 May 2024 05:22:18 AM PDT gpg: using RSA key E1DD270288B4E6030699E45FA1715D88E1DF1F24 gpg: Good signature from "Launchpad PPA for Ubuntu Git Maintainers" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24 $ gpg --list-keys F911AB184317630C59970973E363C90F8F1B6217 E1DD270288B4E6030699E45FA1715D88E1DF1F24 pub rsa1024 2009-01-22 [SC] E1DD270288B4E6030699E45FA1715D88E1DF1F24 uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers pub rsa4096 2024-04-24 [SC] F911AB184317630C59970973E363C90F8F1B6217 uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers Context: https://discourse.ubuntu.com/t/new-requirements-for-apt- repository-signing-in-24-04/42854 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/2065932/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
