Ubuntu 23.10 To Bring Security Enhanced PPAs

Ubuntu upgrades constantly enhance functionalities and add security fixes.

However, it is not often that you see some changes to some of the core mechanisms.

With Ubuntu 23.10, the PPA functioning gets better. At least, you'll see fewer warnings in the terminal.

What am I talking about? Let me go into detail.

The GPG key issue

Traditionally, PPAs and other external repositories were managed through a .list file at /etc/apt/sources.list.d/, which included the list of sources. In addition, a GPG keyring was associated at /etc/apt/trusted.gpg.d

This was identified as a potential security issue because the GPG key is added at the system level.

How? Imagine that you added keys to repository A to get package AA and to repo B to get package BB. Your system will gladly accept package BB signed by the key of repo A. It cannot relate the keys to their respective packages.

That's a problem, right? This old mechanism is being phased out. Now the GPG key info is added to the sources.list of the external repo itself. This way, the GPG key will only accept the package from its associated repo.

Existing Ubuntu users probably already encountered it in with apt-key is deprecated warnings when external repositories used the old method of adding GPG key in /etc/apt/trusted.gpg.d.

Here's an example of the old method of adding external repositories:

sudo apt install apt-transport-https curl
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
sudo sh -c 'echo "deb https://dl.yarnpkg.com/debian/ stable main" >> /etc/apt/sources.list.d/yarn.list'
sudo apt update && sudo apt install yarn

PPAs will use the new GPG key mechanism

Now, PPAs are slightly different than adding external repositories. Here, you don't manually import the GPG key and add it to the /etc/apt/trusted.gpg.d directory.

sudo add-apt-repository ppa:dr-akulavich/lighttable
sudo apt-get update
sudo apt-get install lighttable-installer

GPG key is not explicitly added while adding a PPA

Everything is handled by the PPA mechanism itself and the GPG key associated with a PPA is automatically added to /etc/apt/trusted.gpg.d directory until now. User had no role in it.

With Ubuntu 23.10, a new approach is being introduced.

The PPAs will now be added as deb822-formatted .sources files, where the keys are directly embedded into the file's Signed-By field.

Some benefits that you get with this method are:

When you remove the repository, the associated key is also removed.
You get a 1:1 relationship between the PPA and its key. No security issue.

The mailing list where it was revealed also mentioned:

The key is dedicated to the specific PPA and cannot be used for other repositories (unlike the old trusted.gpg.d, which was a global store for all sources). Other keys cannot be utilized to sign the PPA.

Altogether, the new PPA version will reduce the 'Key is stored in legacy trusted.gpg keyring' and 'Manage keyring files in trusted.gpg.d instead' warnings.

In my opinion, Ubuntu should have brought this change earlier. Better late than never. 😊

What do you think about this new change to handle PPAs in Ubuntu? Let me know your thoughts on the same.