Ubuntu apt repo key collision security concern

This is not your fault, but there is currently a GPG key collision with your Ubuntu apt repo key, which results in an illegitimate key being installed alongside the legitimate key. I noticed this by installing your key using the command in the guide:

$ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0xFDA5DFFC
Executing: /tmp/tmp.J95LwFsR4U/gpg.1.sh --keyserver
gpg: requesting key FDA5DFFC from hkp server keyserver.ubuntu.com
gpg: key FDA5DFFC: public key "Totally Legit Signing Key <mallory@example.org>" imported
gpg: key D9B78493: public key "NzbDrone <contact@nzbdrone.com>" imported
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 2)

Note the “Totally Legit Signing Key” that is imported.

It seems someone is trying to make a point that the short key IDs are insecure, and this is fair enough. More information about this is here, in case you aren’t already aware: https://dev.gnupg.org/T4136

Tnx, I knew the short keys were insecure (read about it quite a while ago) but didn’t realize our wiki still had those instructions. I’ll get it updated to the full key.

Edit: I updated it to the full fingerprint. It’ll do for now, but ideally we should move that to the website instead of the wiki.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.