Skip to content

Only revoke weak RSA keys now, add 'next' and 'future' levels

Julian Andres Klode requested to merge jak/apt:deprecate-pubkey-algos into main

This implements a couple of bits:

  1. Adding an audit level to the download methods so they can issue audit messages
  2. Introducing a LaterWorthless level that is like SoonWorthless but issues audit messages
  3. A new function with test cases that checks a public key string against an assertion list
  4. New future and next levels that issue audit or warning levels for keys not allowed in them.

This allows us to revoke <rsa2048 now, have warnings for uncommon keys like Brainpool, and issue only audit messages for NIST keys (and RSA3072).

Fixes: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126

Edited by Julian Andres Klode

Merge request reports

Loading