Encrypt ppa signing key with non-deprecated algorithm

[jlepere-everlaw]

Mentioning this here for lack of a better place (I can't seem to create a bug here).

Signing keys for strukturag PPAs are encrypted using rsa1024 (link), which is deprecated (link). This is preventing my organization from using these PPAs on FIPS compliant machines that have removed this cipher (specifically Ubuntu 22.04 pro w/ FIPS enabled - link).

Can your signing keys please be re-encrypted with something else, like rsa4096? My organization is specifically using libde265 and libheif, if that's helpful.

Thanks in advance! Please let me know if there's a more appropriate place for this issue!

[farindk]

I'm forwarding this to @fancycode, who is maintaining the PPA.

[fancycode]

Looks like it's not possible to manually recreate the PPA signing key:
https://bugs.launchpad.net/launchpad/+bug/1331914

However, Ubuntu will update the keys of all PPAs over time:
https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854

Unfortunately I don't know if this already started or how long it will take to reach our libde265 / libheif PPAs.

[jlepere-everlaw]

It looks like packages have been signed with a new rsa4096 key (link)? If that's the case, should the launchpad page (link) be updated?

[fancycode]

This looks like Ubuntu started creating new keys (we have no way of controlling this), but they are still not used for signing the PPAs.

However, Ubuntu will update the keys of all PPAs over time:
https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854

Reading the updated thread, the re-signing of PPAs still is not finished from what I understand.

I know this is unfortunate but again, we (and the PPA creators in general) have no way of manually signing packages or updating keys. This is fully controlled by Canonical / Ubuntu.

[jlepere-everlaw]

Okay. Thanks for the context, @fancycode. I appreciate it.