[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#968148: /usr/bin/apt-key: Suggestion for manpage and Warning

On Tue, Feb 02, 2021 at 10:53:03AM +0100, David Kalnischkies wrote:
> Hi,
> 
> On Mon, Feb 01, 2021 at 12:42:01PM +0000, Julian Gilbey wrote:
> > I just stumbled upon an "Ask Ubuntu" discussion, which has a very
> > clear explanation of (at least some of) the reasons for the
> > deprecation of apt-key and what to do instead:
> > https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1300076#1300076
> > 
> > Logging it here in the hope that it will be of use to others.
> 
> It's Julian (juliank) who runs this deprecation and I have close to zero
> interest in third party repositories, so I do not want to bud in on
> these BUT that linked accepted answer is really not a good answer…
> at least scroll a bit down and read the others if you really must.
> 
> [... detailed comments and ideas snipped ...]
> 
> Best regards
> 
> David Kalnischkies

Hi David,

That's really helpful, thanks!

What seems to come from your answer is that there is no "canonical"
way to do it.  But in the absence of guidance, each person setting up
their own repository will do it in their own way.  I had no idea of
the potential dangers of the /etc/apt/trusted.gpg.d directory, for
example, though I'm not sure that using signed-by is necessarily
better.

What would be helpful, and what this whole thread is essentially
about, is a request for the apt maintainers, who really know the
architecture of the apt system and are probably the best-placed to
give this guidance, to provide some "official" guidelines as to best
practice in the apt packages.  From your message, it seems as though
there are actually two distinct audiences: repository maintainers and
sysadmins.

Something like:

Guidelines for setting up a signed package repository
-----------------------------------------------------

Modern versions of APT require repositories to be signed.  If you are
setting up a repository, you can read about signing your repository
here: [URL].

If you intend your repository to be usable by others, you will need to
provide your public key in a format that APT can use.  This can be
achieved in three ways:

(1) (Recommended method) Using GPG, turn your key into a GPG v1
keyring as follows: ...

(2) Using ...

(3) Using ...

If this key is saved as /etc/apt/keyrings/myrepo.gpg, the repository
can then be accessed using a sources.list line such as:
deb [signed-by=/etc/apt/keyrings/myrepo.gpg] https://example.com/myrepo repo main


Guidelines for sysadmins to add an external package repository
--------------------------------------------------------------

Security warning: Adding external repositories can be dangerous, as
they can potentially install malicious software in place of the
official Debian versions.  Only add external repositories from sources
that you trust.

In general, external repositories should provide instructions for how
to add them to your system.  We just give some brief pointers here.

[... I don't know what the correct thing to write here is ...]


I hope this is of some help!

Best wishes,

   Julian
Reply to: