Some more help needed. I read the article, but I am doing something wrong or don’t understand. Is every item listed after the command ‘sudo apt-key list’ needs to be taken care of / corrected?
My first item listed is;
pub rsa1024 2013-06-24 [SC]
56E0 9F98 278D 83F6 3047 5E16 FFE1 FFFF AFEC 55BB
uid [ unknown] Launchpad PPA for Stefan Sundin
When I follow the instructions and perform;
sudo apt-key export AFEC55BB | sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/Launchpad.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean …
usage: gpg [options] [filename]
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg: [stdout]: write error: Broken pipe
gpg: filter_flush failed on close: Broken pipe
The software itself is not related to it. The problem is, that, when updating it through the maintainer’s PPA channel, you will use that insecure key you saw above, for authentication purposes.
So, in theory, someone could let you install malicious software, if he chooses to exploit the weak key, for example.
Though, all that said, the chance of this happening is very low for a normal end-user.
The primary reason I mentioned the low security in the first place is, that I had trouble in the past regarding weak keys. I had trouble managing them, because they did not seem to work the same way with gpg as normally sized keys.
The secondary reason is, that I was surprised he would use such a low security key. The lowest, one should use now is 2048.
I personally never go lower than 4096.
Therefore, it’s not a big issue for you, right now.
Though, if it bothers you, just ask the maintainer for a better key.
He should have a newer one anyway.
Good to know. Could I even lower the odds by disabling the PPA in Linux update? Meaning, if I understand it correctly, after the software is install, it can not be updated. Therefore, no one else could use the weak key.