Improvements to PPA management in 23.10

We’re excited to announce the release of software-properties 0.99.37, just uploaded to mantic-proposed! This update brings a significant change to how PPAs are managed on Ubuntu systems, thanks to the hard work of @enr0n.

In previous versions of Ubuntu, PPAs were managed through a traditional .list file located at /etc/apt/sources.list.d/, accompanied by a gpg keyring at /etc/apt/trusted.gpg.d.

However, starting with version 23.10, we have introduced a new approach. PPAs are now added as deb822-formatted .sources files, where the keys are directly embedded into the file’s Signed-By field. This change offers several key advantages:

  • Removal of a repository also removes its associated key.
  • Establishes a 1:1 relationship between the PPA and its key:
    • The key is dedicated to the specific PPA and cannot be used for other repositories (unlike the old trusted.gpg.d, which was a global store for all sources).
    • Other keys cannot be utilized to sign the PPA.

We believe that these enhancements will enhance the security and reliability of managing PPAs on your Ubuntu systems. Stay tuned for more updates and let us know your feedback!

17 Likes

What is the timeline on implementing a fix (key rollover) for old PPAs that still have 1024-bit keys?

It’s simply impossible to deprecate RSA1024 keys for us a the apt level, only GnuPG can make that change, and then launchpad would need to update or the PPA owners need to migrate to new PPAs for the series shipping that new gnupg.

My preference would be to start dual-signing these PPAs with 4096R keys ASAP, and only advertise the 4096R key ID from the PPA page such that add-apt-repository adds the 4096R key only on new additions.

And ubuntu-release-upgrader should be rewriting add-apt-repository added PPA sources + keys to deb822 with embedded keys on upgrade to mantic really, that should be reasonably easy to do. It would be relatively straightforward and sensible to add the key upgrade mechanism at that point.

But I’m afraid I can’t speak for the Launchpad server side stuff, to the best of my knowledge nothing is planned yet.

1 Like