AptArchiveKeySignatures
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: apt-archive-key-signatures
Packages affected: apt
Summary
We do not have a good mechanism to support key rollover for the archive signing key. This should be fixed.
Release Note
TBD
Rationale
A key rollover procedures is important for emergencies (if e.g. the current archive signing key gets compromised) and for regular key updates.
Design
In addition to the current signing key we add a master signing key that is put the pulblic half into the ubuntu-archive-keyring package. We only trust ubuntu archive keys that are signed with this key. Special measures are taken to ensure that the private half of the master key is stored in a save location.
If a key rollover is needed we generate a new archive signing key and sign it with the master key. The archive is then signed with both the old archive signing key and the new archive signing key. A new ubuntu-archive-keyring package is created and uploaded into $distro-security. When apt-key update is run it will only import keys with the "Ubuntu.*Automatic Signing Key" string if those are verified with the master key.
If the archive key gets compromised it is no longer secure to install the updated ubuntu-archive-keyring package even after the archive got restored. The attack is a man-in-the-middle attack where the attacker creates a fake archive with a modifed ubuntu-archive-keyring package that does something bad in its preinst script. The archive is then signed with the borken old archive-key so that the apt on the users machine does not notice that change.
The fix for this is to add a "apt-key net-update" (or make it art of the existing apt-key update) that will download the current archive singing keyring from a fixed (per-release) location on archive.ubuntu.com. Keys from that location will only be imported if they are signed with the master key. This ensures that even if the archive gets compromised new keys can not be added. We could also make the apt-key net-update part of the nightly apt-get update cron job. We need to keep the ubuntu-archive-keyring package to make it possible to update the archive singing keys for non-networked machines that get updates via e.g. CDROM.
Implementation
TBD
Test/Demo Plan
TBD - needs to go into the apt authentication testsuit
Outstanding Issues
None