So from my understanding, these are the big changes in this SRU, regarding the crypto config.
a) Algorithms MISSING from Assert-Pubkey-Algo are now treated as an ERROR, whereas before (noble release) they were WARNINGS; b) The list of algorithms in Assert-Pubkey-Algo changed: ">=rsa2048,ed25519,ed448"); ">=rsa1024,ed25519,ed448, nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"); b1) rsa2048 was replaced by rsa1024 b2) nist*, brainpool*, and secp256k1 were added to the list c) Two more algorithms lists were added: c1) Next: algorithms MISSING from this list will trigger a WARNING c2) Future: algorithms MISSING from this list will trigger an AUDIT event (not fully supported in this noble SRU yet, so this "Future" list can be ignored for now) Next", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512"); Future", ">=rsa3072,ed25519,ed448"); These lists, and how they apply, can be confusing. Here is another way to read these that I came up with: - Assert-Pubkey-Algo: list of PERMITTED algorithms. If a repository was signed with an algorithm/key NOT listed here, it will trigger an ERROR, regardless of the other lists. - Assert-Pubkey_Algo::Next: list of NO WARNING algorithms. If a repository was signed with an algorithm/key NOT listed here, it will trigger a WARNING. Should be a subset of the above. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073126 Title: More nuanced public key algorithm revocation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
