Closed eguaj closed 1 month ago
That’s in Canonical hands and their rollover and communication around it is frankly disaster. I don’t have any more information than you do.
But I guess I should be happy that it’s finally happening…. Because 1024 RSA keys should have been replaced years ago.
Ok, thanks for the details/explanations.
It does not seems to impact apt/apt-get commands, so the problem might be only with aptly not handling multiples signatures the same way as apt commands does (e.g. requiring all signature to be valid instead of requiring at lease one signature to be correct).
In the meantime, I'll add the B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6 key to my aptly trust store (which effectively solves my verification problem when running aptly mirror update
).
Hi,
I have an aptly mirroring PPA ondrej/php packages, and this morning it fails to verify the
Release
file signature:The signature verification seems to fails because it does not know the key B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6.
It seems that the
Release
file is signed with 2 keys, and one of them (B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6) is unknown?Is there a key rollover planned? Should I trust this B8DC7E53946656EFBCE4C1DD71DAEAAB4AD4CAB6 key (as I trust 14AA40EC0831756756D7F66C4F4EA0AAE5267A6C)?
Steps to reproduce without aptly:
Release
file and the GPG signature: