diff -Nru ubuntu-keyring-2016.09.01/debian/changelog ubuntu-keyring-2016.09.19/debian/changelog --- ubuntu-keyring-2016.09.01/debian/changelog 2016-09-01 17:45:52.000000000 +0000 +++ ubuntu-keyring-2016.09.19/debian/changelog 2016-09-19 17:32:38.000000000 +0000 @@ -1,3 +1,16 @@ +ubuntu-keyring (2016.09.19) yakkety; urgency=medium + + * Ship each active key in a separate keyring in /etc/apt/trusted.gpg.d/ + as conffiles for simpler usage of apt-secure(8). + * Remove all active keys from /etc/apt/trusted.gpg as they are shipped + now as fragment files. + * Depend on gpgv and only recommend gnupg. + * Stop calling apt-key update LP: #1619444 + * Generate SHA512SUMS.txt.asc file, signed by me, and verified against + debian-keyring at build time as a weak consistency check. + + -- Dimitri John Ledkov Fri, 16 Sep 2016 14:36:10 +0100 + ubuntu-keyring (2016.09.01) yakkety; urgency=medium * Depend on "gnupg | gnupg1". LP: #1615039 diff -Nru ubuntu-keyring-2016.09.01/debian/control ubuntu-keyring-2016.09.19/debian/control --- ubuntu-keyring-2016.09.01/debian/control 2016-09-01 17:44:00.000000000 +0000 +++ ubuntu-keyring-2016.09.19/debian/control 2016-09-19 17:28:35.000000000 +0000 @@ -3,13 +3,14 @@ Priority: optional Maintainer: Michael Vogt Standards-Version: 3.8.3 +Build-Depends: gnupg, debian-keyring Package: ubuntu-keyring Priority: important Architecture: all Multi-Arch: foreign -Depends: gnupg | gnupg1 -Recommends: gpgv +Depends: gpgv +Recommends: gnupg | gnupg1 Description: GnuPG keys of the Ubuntu archive The Ubuntu project digitally signs its Release files. This package contains the archive keys used for that. diff -Nru ubuntu-keyring-2016.09.01/debian/postinst ubuntu-keyring-2016.09.19/debian/postinst --- ubuntu-keyring-2016.09.01/debian/postinst 2010-09-30 13:41:21.000000000 +0000 +++ ubuntu-keyring-2016.09.19/debian/postinst 2016-09-19 18:11:40.000000000 +0000 @@ -1,36 +1,18 @@ #!/bin/sh -# the keyring in /var that gets fetched by apt-key net-update -# if it does not yet exist, copy it to avoid uneeded net copy -KEYRINGDIR="/var/lib/apt/keyrings" -KEYRING="${KEYRINGDIR}/ubuntu-archive-keyring.gpg" +set -e -if ! test -d $KEYRINGDIR; then - mkdir -m 755 -p $KEYRINGDIR -fi - -if ! test -f $KEYRING; then - cp /usr/share/keyrings/ubuntu-archive-keyring.gpg $KEYRING - touch $KEYRING -fi - -# sensible default permissions if there is no keyring yet -# (gpg will use 0600 otherwise and that will break release-upgrades later) -ETC_KEYRING="/etc/apt/trusted.gpg" -if [ ! -f $ETC_KEYRING ]; then - touch $ETC_KEYRING - chmod 0644 $ETC_KEYRING -fi - -# during maverick we had keyrings created with mode 0600 -# but this will break tools like update-managers release-downloader -# because it uses the trusted.gpg keyring to verify the signature (as user) -if dpkg --compare-versions "$2" lt-nl "2010.+09.30"; then - chmod 0644 $ETC_KEYRING -fi - -# make sure apt knows about the new keys -if [ -x /usr/bin/apt-key ]; then - /usr/bin/apt-key update +if [ "$1" = 'configure' -a -n "$2" ]; then + # remove keys from the trusted.gpg file as they are now shipped in fragment files in trusted.gpg.d + if dpkg --compare-versions "$2" 'lt' "2016.09.19" && which gpg > /dev/null && which apt-key > /dev/null; then + TRUSTEDFILE='/etc/apt/trusted.gpg' + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + if [ -e "$TRUSTEDFILE" ]; then + for KEY in 40976EAF437D05B5 46181433FBB75451 3B4FE6ACC0B21F32 D94AA3F0EFE21092; do + apt-key --keyring "$TRUSTEDFILE" del $KEY > /dev/null 2>&1 || : + done + fi + fi fi diff -Nru ubuntu-keyring-2016.09.01/debian/README.source ubuntu-keyring-2016.09.19/debian/README.source --- ubuntu-keyring-2016.09.01/debian/README.source 1970-01-01 00:00:00.000000000 +0000 +++ ubuntu-keyring-2016.09.19/debian/README.source 2016-09-19 18:14:35.000000000 +0000 @@ -0,0 +1,15 @@ +The fingerprints currently in use by The Ubuntu Project are currently +listed at: + + https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu + +The sha512sums of the keyrings and fragments can be verified using: + + $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --decrypt SHA512SUMS.txt.asc | sha512sum -c - + $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --decrypt md5sums.txt | md5sum -c - + +It is left as an excercise to the reader to establish trust path to +the Debian Project strongly connect set of keys. + + + -- Dimitri John Ledkov , Mon, 19 Sep 2016 19:14:35 +0100 diff -Nru ubuntu-keyring-2016.09.01/debian/rules ubuntu-keyring-2016.09.19/debian/rules --- ubuntu-keyring-2016.09.01/debian/rules 2010-05-27 16:53:12.000000000 +0000 +++ ubuntu-keyring-2016.09.19/debian/rules 2016-09-19 18:14:00.000000000 +0000 @@ -23,7 +23,7 @@ -rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars -rm -rf debian/tmp debian/ubuntu-keyring-udeb -binary-indep: checkroot +binary-indep: checkroot checkkeyrings $(checkdir) -rm -rf debian/tmp $(install_dir) debian/tmp/DEBIAN/ @@ -34,6 +34,12 @@ $(install_file) keyrings/ubuntu-archive-removed-keys.gpg debian/tmp/usr/share/keyrings/ $(install_file) keyrings/ubuntu-master-keyring.gpg debian/tmp/usr/share/keyrings/ + $(install_dir) debian/tmp/etc/apt/trusted.gpg.d/ + $(install_file) keyrings/ubuntu-keyring-2004-archive.gpg debian/tmp/etc/apt/trusted.gpg.d/ + $(install_file) keyrings/ubuntu-keyring-2004-cdimage.gpg debian/tmp/etc/apt/trusted.gpg.d/ + $(install_file) keyrings/ubuntu-keyring-2012-archive.gpg debian/tmp/etc/apt/trusted.gpg.d/ + $(install_file) keyrings/ubuntu-keyring-2012-cdimage.gpg debian/tmp/etc/apt/trusted.gpg.d/ + $(install_dir) debian/tmp/usr/share/doc/ubuntu-keyring/ $(install_file) README debian/tmp/usr/share/doc/ubuntu-keyring/ $(install_file) debian/changelog debian/tmp/usr/share/doc/ubuntu-keyring/changelog @@ -74,4 +80,16 @@ $(checkdir) test root = "`whoami`" -.PHONY: binary binary-arch binary-indep clean checkroot build +regenerate-key-fragments: + rm -f keyrings/ubuntu-keyring-*.gpg + gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output keyrings/ubuntu-keyring-2004-archive.gpg --export 0x630239CC130E1A7FD81A27B140976EAF437D05B5 + gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output keyrings/ubuntu-keyring-2004-cdimage.gpg --export 0xC5986B4F1257FFA86632CBA746181433FBB75451 + gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output keyrings/ubuntu-keyring-2012-archive.gpg --export 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 + gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output keyrings/ubuntu-keyring-2012-cdimage.gpg --export 0x843938DF228D22F7B3742BC0D94AA3F0EFE21092 + sha512sum keyrings/*.gpg | gpg --clearsign > SHA512SUMS.txt.asc + +checkkeyrings: + gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --decrypt SHA512SUMS.txt.asc | sha512sum -c - + gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --decrypt md5sums.txt | md5sum -c - + +.PHONY: binary binary-arch binary-indep clean checkroot checkkeyrings build Binary files /tmp/tmpm9EGCS/tRZf3Xj2dW/ubuntu-keyring-2016.09.01/keyrings/ubuntu-keyring-2004-archive.gpg and /tmp/tmpm9EGCS/Jj76t3jKZs/ubuntu-keyring-2016.09.19/keyrings/ubuntu-keyring-2004-archive.gpg differ Binary files /tmp/tmpm9EGCS/tRZf3Xj2dW/ubuntu-keyring-2016.09.01/keyrings/ubuntu-keyring-2004-cdimage.gpg and /tmp/tmpm9EGCS/Jj76t3jKZs/ubuntu-keyring-2016.09.19/keyrings/ubuntu-keyring-2004-cdimage.gpg differ Binary files /tmp/tmpm9EGCS/tRZf3Xj2dW/ubuntu-keyring-2016.09.01/keyrings/ubuntu-keyring-2012-archive.gpg and /tmp/tmpm9EGCS/Jj76t3jKZs/ubuntu-keyring-2016.09.19/keyrings/ubuntu-keyring-2012-archive.gpg differ Binary files /tmp/tmpm9EGCS/tRZf3Xj2dW/ubuntu-keyring-2016.09.01/keyrings/ubuntu-keyring-2012-cdimage.gpg and /tmp/tmpm9EGCS/Jj76t3jKZs/ubuntu-keyring-2016.09.19/keyrings/ubuntu-keyring-2012-cdimage.gpg differ diff -Nru ubuntu-keyring-2016.09.01/SHA512SUMS.txt.asc ubuntu-keyring-2016.09.19/SHA512SUMS.txt.asc --- ubuntu-keyring-2016.09.01/SHA512SUMS.txt.asc 1970-01-01 00:00:00.000000000 +0000 +++ ubuntu-keyring-2016.09.19/SHA512SUMS.txt.asc 2016-09-19 17:22:18.000000000 +0000 @@ -0,0 +1,21 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +07765ea2e31760ae608822feff75a190bbd3af5bf78a991f3c81a382a876a43300a02c951b9d09f4527f8510dd19734c011cc76a45228d356850c1488190a31a keyrings/ubuntu-archive-keyring.gpg +cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e keyrings/ubuntu-archive-removed-keys.gpg +f411ba42f4c80f80f99f8ca7f794eae73d2c6dbdd269dabcad6e84469d38af5cc088084d795821fe0f71bef7938e55ed3ee39172fb2d1914574adef345e29d8f keyrings/ubuntu-keyring-2004-archive.gpg +a65433e0e995c32ef1f1856839dfa498a06cff98a5767265661a1076576253134446e0e777328553b7f57666f151d9cb6586fa9ada26a565e568f58238cd3efa keyrings/ubuntu-keyring-2004-cdimage.gpg +34bad6f9713c5837d3139dcb3a49239373fe5c242f31c3ca539888d16c2d5e63074c806e700553bdf9b6879e3c2b48c835a900df4ff8dfa96afd041d2357733e keyrings/ubuntu-keyring-2012-archive.gpg +20dc1ea69f80cfd996e3cf550935dd49db0cfe9e7169f60861d008b4b53d8f4500583f4cd2aa0e2acba199be18500dc075363daba78412c4b4957026e3220e1b keyrings/ubuntu-keyring-2012-cdimage.gpg +119434cc859f9537e5c4e2352037045748fa5f7f8242d703d52c6e891a1c59e282225bc4f440c1218be9c70cf2a629609b2487b67b990073a39a5d753188d4e3 keyrings/ubuntu-master-keyring.gpg +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQEcBAEBCAAGBQJX4B7JAAoJEMrC2LnNLKX5SuUIAI6YapNrUNYwNzFK5AYqK6v0 +PYvddnUtq571xnAWIDNoVpjJgemP8jHXdU7tIcYPqp5MqlCKEzpPbvryki5rOXrA +mTZ6PIGc4JoTuWAuCkCdl6o0ft2VdfhXmwg8ERKz9hZduQPkI6wtzBgedi4ZOUvn +P3PBCvjeqor8DIREUxHqDnH9dIRe0g+z/3AS3cuLVM1zAcdQGotmvnF5kaMTZ/Sc +kVofYZUZnIZcozl8eCJx+knE6RXFjSqxti+L3Mq/Qid4hKtP4en3Y0Rjn+bf0R3o +F0V6j3hs1hlQQrP3/ZpdjNGousOTsQSR3onxmgruhP0vpofZ93wck6ciFQ6J43o= +=/kYO +-----END PGP SIGNATURE-----