weak algorithm in `sudo nala update` for `grub-customizer`

[reneas]

when running sudo nala update the output has a line that says:

/usr/lib/python3/dist-packages/apt/cache.py:562: Warning: W:https://ppa.launchpadcontent.net/danielrichter2007/grub-customizer/ubuntu/dists/noble/InRelease: Signature by key 59DAD276B942642B1BBD0EACA8AA1FAA3F055C03 uses weak algorithm
(rsa1024)
res = self._cache.update(fetch_progress, slist, pulse_interval)

When i run sudo apt update nothing like that happens.

Can I ignore this or should we be worried? Should I post about this at the grub-customizer launchpad?

[volitank]

I wouldn't worry about it too much. This is the Key that is used to Sign the InRelease. So RSA 1024 is considered on the weaker side now. I can't actually find much evidence to support that it is easily cracked. Even if it were cracked they could only sign repos as Daniel. In order for it to actually be a threat they would need to get access to his PPA account and crack his key. Or DNS hijack lauchpad.net + crack his key. I think it's extremely unlikely for this to happen.

The reason these are coming up now is that python-apt has changed how they handle errors and warnings so it kind of just spits them out as they come now. I'm probably not going to fix this and instead focus my energy into trying to get the rust rewrite finished so we pretty much will always know what to expect.

I also found this which is recent. It seems like launchpad is aware and is in the process of re-assigning stronger keys for folks.

https://askubuntu.com/questions/1510042/how-to-fix-launchpad-ppa-which-uses-a-key-with-weak-algorithm https://answers.launchpad.net/launchpad/+question/809194

[reneas]

Okay good to know, tank you :) Will have to wait until they changed all the PPA keys to 4096-bit RSA and in the meantime ignore these messages.