Ubuntu Wiki

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

• Launchpad Entry: apt-archive-key-signatures

• Packages affected: apt

Summary

We do not have a good mechanism to support key rollover for the archive signing key. This should be fixed.

Release Note

TBD

Rationale

A key rollover procedures is important for emergencies (if e.g. the current archive signing key gets compromised) and for regular key updates.

Design

In addition to the current archive signing key we add a master signing key and put the public half into the ubuntu-archive-keyring package. We only trust ubuntu archive keys that are signed with this key. Special measures are taken to ensure that the private half of the master key is stored in a safe location.

If a key rollover is needed (either for regular maintainance or because of a compromise) we generate a new archive signing key and sign it with the master key. The archive is then signed with both the old archive signing key and the new archive signing key. A new ubuntu-archive-keyring package is created and uploaded into $distro-security. When apt-key update is run it will only import keys with the "Ubuntu.*Automatic Signing Key" string if those are verified with the master key.

In addition to that, we add a "apt-key update" that will try to download the current archive singing keyring from a fixed (per-release) location on archive.ubuntu.com. Keys from that location will only be imported if they are signed with the master key. This ensures that even if the archive gets compromised new bogus keys can not be added. We make the apt-key update part of the nightly apt-get update cron job and ensure that it is run before the actual apt-get commands. A apt-key update will be added as APT::Update::Post-Invoke hook.

The reason for this additional apt-key update step is that if the archive key gets compromised it is no longer secure to install the updated ubuntu-archive-keyring package even after the archive got restored. The attack is a man-in-the-middle attack where the attacker creates a fake archive with a modified ubuntu-archive-keyring package that does something bad in its preinst script. The archive is then signed with the broken old archive-key so that the apt on the users machine does not notice that change.

Even with apt-key update looking at the network, we still need to keep the ubuntu-archive-keyring package to make it possible to update the archive singing keys for non-networked machines that get updates via e.g. CDROM. It is also needed to remove compromised keys from the archive-keyring by adding them to /usr/share/keyrings/ubuntu-archive-removed-keys.gpg

Implementation

A ubuntu-keyring package with the master key is uploaded as ubuntu-keyring_2008.01.16.

Test/Demo Plan

TBD - needs to go into the apt authentication testsuit

Outstanding Issues

None

CategorySpec