We’re excited to announce the release of software-properties 0.99.37, just uploaded to mantic-proposed! This update brings a significant change to how PPAs are managed on Ubuntu systems, thanks to the hard work of @enr0n.
In previous versions of Ubuntu, PPAs were managed through a traditional .list file located at /etc/apt/sources.list.d/, accompanied by a gpg keyring at /etc/apt/trusted.gpg.d.
However, starting with version 23.10, we have introduced a new approach. PPAs are now added as deb822-formatted .sources files, where the keys are directly embedded into the file’s Signed-By field. This change offers several key advantages:
Removal of a repository also removes its associated key.
Establishes a 1:1 relationship between the PPA and its key:
The key is dedicated to the specific PPA and cannot be used for other repositories (unlike the old trusted.gpg.d, which was a global store for all sources).
Other keys cannot be utilized to sign the PPA.
We believe that these enhancements will enhance the security and reliability of managing PPAs on your Ubuntu systems. Stay tuned for more updates and let us know your feedback!
It’s simply impossible to deprecate RSA1024 keys for us a the apt level, only GnuPG can make that change, and then launchpad would need to update or the PPA owners need to migrate to new PPAs for the series shipping that new gnupg.
My preference would be to start dual-signing these PPAs with 4096R keys ASAP, and only advertise the 4096R key ID from the PPA page such that add-apt-repository adds the 4096R key only on new additions.
And ubuntu-release-upgrader should be rewriting add-apt-repository added PPA sources + keys to deb822 with embedded keys on upgrade to mantic really, that should be reasonably easy to do. It would be relatively straightforward and sensible to add the key upgrade mechanism at that point.
But I’m afraid I can’t speak for the Launchpad server side stuff, to the best of my knowledge nothing is planned yet.
As for managing PPAs the official ppa-purge has been unmaintained since 2016 and can not currently handle systems using deb822 format. I have developed ppa-purge a lot (including fixing its bugs) at my own expense in my own branch after that, but even that does not support deb822 format currently. I expect some support from Canonical. Has support for downgrading packages been considered to be implemented in add-apt-repository (with --remove option)?