Canonical is going to link PPAs in Ubuntu to keyring for more security

Spread the love

Canonical is going to change the way PPAs work in Ubuntu. As of Ubuntu 23.10, Personal Package Archives are linked directly to their GPG keyring, which should be more secure and provide more space for keyrings.

The developers of Ubuntu write in a forum post that the way PPAs work in the OS is going to change. That happens from version 23.10, Mantic Minotaur, which will be released in October of this year. In particular, it concerns the way PPAs are signed.

Now Personal Package Archives, software packages that are compiled separately from a package manager, are stored as a .list file in /etc/apt/sources.list.d. The associated GPG keyring, which verifies the integrity of the software, is also stored separately in a different location, /etc/apt/trusted.gpg.d. As of version 23.10, PPAs are saved as an individual .sources file with deb822 format. The keyring and the PPA are therefore together.

According to developer Canonical, this has several advantages. In the first place, keys are deleted immediately if the PPA is also deleted. In addition, keys are linked 1-to-1 to the associated software so that it cannot be used by other repos. It also becomes more difficult to use other keys to sign PPAs.

You might also like
Exit mobile version