Launchpad itself

URGENT: WebUpd8 Thems PPA Signing Key Listed as "Launchpad VLC" on Keyserver and When Imported

Asked by Lumenary

Hello All Good Launchpad Support Admins:

I recently added the following Launchpad WebUpd8 Themes signing key to
my APT keyring, and noticed that the key seems to collide with (or has
been replaced by) the VLC PPA signing key. This results in packages
coming from WebUpd8 PPAs being reported as "NOT AUTHENTICATED" when
being downloaded/installed.

Here are some excerpts from the WebUpd8 Themes PPA page, and from my
workstation:

    -----------------------------------------------------------------
    Begin Excerpt From Web Page:
    https://launchpad.net/~webupd8team/+archive/themes/?field.series_filter=precise
    -----------------------------------------------------------------

    . . . . . .

    Technical details about this PPA

    This PPA can be added to your system manually by copying the
    lines below and adding them to your system's software sources.

    Display sources.list entries for: [ Precise (12.04) ]

    [ deb http://ppa.launchpad.net/webupd8team/themes/ubuntu precise main ]
    [ deb-src http://ppa.launchpad.net/webupd8team/themes/ubuntu
precise main ]

    Signing key:
    1024R/EEA14886 (What is this?)

    Fingerprint:
    7B2C3B0889BF5709A105D03AC2518248EEA14886

    . . . . . .

    -----------------------------------------------------------------
    End Excerpt
    -----------------------------------------------------------------

    -----------------------------------------------------------------
    Begin Excerpt From Web Page:
    http://keyserver.ubuntu.com:11371/pks/lookup?search=0x7B2C3B0889BF5709A105D03AC2518248EEA14886&op=index
    -----------------------------------------------------------------

    Search results for '0x7b2c3b0889bf5709a105d03ac2518248eea14886'

    Type bits/keyID Date User ID

    pub 1024R/EEA14886 2010-05-04 Launchpad VLC

    -----------------------------------------------------------------
    End Excerpt
    -----------------------------------------------------------------

    -----------------------------------------------------------------
    Begin Excerpt From Precise "Software Sources" App:
    (Authentication Tab)
    -----------------------------------------------------------------

    EEA14886 2010-05-04
    Launchpad VLC

    -----------------------------------------------------------------
    End Excerpt
    -----------------------------------------------------------------

Please check into the above issue as soon as possible. I wanted to
bring it to your attention directly. A key collision could have
substantial security ramifications.

Best Regards,

Lumenary on Launchpad
USA - Ohio - Newton Falls

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Max Bowsher (maxb) said : 		#1

(Disclaimer: I'm not officially associated with Launchpad)

Owing to some historical details of how the PPA system was designed (originally, one PPA per person or team), PPA signing keys are labelled with the name of the first PPA they were created for - but then re-used as is for additional PPAs owned by the same person or team.

This is confusing, but doesn't have security implications beyond that.

Can you help with this problem?

Provide an answer of your own, or ask Lumenary for more information if necessary.

To post a message you must log in.