Don't trust E6C27099CA21965B734AEA31B4EFB9F38D8AEBF1
Hi. I noticed that default installs of Trisquel nabia and aramo has a rather old DSA1024/ElG2048 key in the apt trust root. I suppose etiona also has it, but didn't install it to check. While I can't confirm that apt still accept signatures signed by these old signatures, it seems prudent to drop this key from the apt trust store. Neither nabia/aramo/etiona uses it to sign Releases files so it should be safe.
DSA1024 keys has a 80-bit security margin so this is really insecure today:
The key is in this repository at ./helpers/DATA/apt/trisquel-archive.gpg although I'm not sure how the RSA keys got onto my system, maybe that happens via the netinst image tools instead.
gpgv appears to accept signatures for the old key (this is on a aramo system), so unless apt has some additional magic, apt would trust gpgv on this.
jas@kaka:~$ wget -q http://archive.trisquel.org/trisquel/dists/dagda/Release.gpg
jas@kaka:~$ wget -q http://archive.trisquel.org/trisquel/dists/dagda/Release
jas@kaka:~$ gpgv --keyring /etc/apt/trusted.gpg.d/trisquel-archive-keyring.gpg Release.gpg Release
gpgv: Signature made Tue Sep 18 21:49:49 2012 CEST
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
jas@kaka:~$
Below is a summary of the InRelease files and the keys they are signed with:
jas@kaka:~$ for d in aramo belenos brigantia etiona flidas nabia taranis toutatis; do echo $d; wget -q -O- http://archive.trisquel.org/trisquel/dists/$d/InRelease | gpgv --keyring /etc/apt/trusted.gpg.d/trisquel-archive-keyring.gpg ; done
aramo
gpgv: Signature made Mon Jan 23 04:13:08 2023 CET
gpgv: using RSA key 60364C9869F92450421F0C22B138CA450C05112F
gpgv: Good signature from "Trisquel GNU/Linux <trisquel-devel@trisquel.info>"
belenos
gpgv: Signature made Sun Dec 6 01:45:53 2020 CET
gpgv: using DSA key E6C27099CA21965B734AEA31B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
brigantia
gpgv: Signature made Sat Mar 1 22:48:48 2014 CET
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
etiona
gpgv: Signature made Fri Nov 4 00:04:22 2022 CET
gpgv: using RSA key 60364C9869F92450421F0C22B138CA450C05112F
gpgv: Good signature from "Trisquel GNU/Linux <trisquel-devel@trisquel.info>"
flidas
gpgv: Signature made Thu Nov 3 21:28:47 2022 CET
gpgv: using RSA key 60364C9869F92450421F0C22B138CA450C05112F
gpgv: Good signature from "Trisquel GNU/Linux <trisquel-devel@trisquel.info>"
nabia
gpgv: Signature made Sun Nov 13 20:05:59 2022 CET
gpgv: using RSA key 60364C9869F92450421F0C22B138CA450C05112F
gpgv: Good signature from "Trisquel GNU/Linux <trisquel-devel@trisquel.info>"
taranis
gpgv: Signature made Thu Nov 16 22:29:39 2017 CET
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
toutatis
gpgv: Signature made Tue Mar 26 21:23:41 2019 CET
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
jas@kaka:~$ for d in awen dagda dwyn robur slaine; do echo $d; rm -f Release Release.gpg; wget -q http://archive.trisquel.org/trisquel/dists/$d/Release; wget -q http://archive.trisquel.org/trisquel/dists/$d/Release.gpg; gpgv --keyring /etc/apt/trusted.gpg.d/trisquel-archive-keyring.gpg Release.gpg Release; done
awen
gpgv: Signature made Sat Jun 11 00:01:01 2011 CEST
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
dagda
gpgv: Signature made Tue Sep 18 21:49:49 2012 CEST
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
dwyn
gpgv: Signature made Mon Apr 25 15:38:36 2011 CEST
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
robur
gpgv: Signature made Sun Sep 16 23:50:59 2012 CEST
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
slaine
gpgv: Signature made Tue Jan 31 20:29:16 2012 CET
gpgv: using DSA key B4EFB9F38D8AEBF1
gpgv: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <trisquel-devel@trisquel.info>"
jas@kaka:~$