#922155 ITP: matrix-archive-keyring -- OpenPGP archive key for the Matrix.org package repository

Package:
wnpp
Source:
wnpp
Submitter:
Linda Lapinlampi
Date:
2025-11-29 16:43:43 UTC
Severity:
wishlist
Tags:
#922155#5
Date:
2019-02-12 17:51:39 UTC
From:
To:
* Package name    : matrix-archive-keyring
  Version         : 2015.12.09
  Upstream Author : The Matrix.org Foundation CIC <packages@matrix.org>
* URL             : https://matrix.org/packages/debian/repo-key.asc
* License         : GPLv3+ (key: public domain)
  Programming Lang: Make, sh
  Description     : OpenPGP archive key for the Matrix.org package repository

The Matrix.org Debian package repository distributes digitally signed
releases of Matrix.org related packages. This package contains the
archive key used to verify those files, required by apt(8).

matrix-archive-keyring will also attempt to harden the apt-secure(8)
infrastructure by removing known previously installed (untrusted)
Matrix.org archive key(s) from apt(8)'s global trust database, which
have often been erroneously added via apt-key(8).
----

Hi, so there's few packages in Debian already such as matrix-synapse.
[1] And then there's Debian packages from third-party Matrix.org and
Riot.im package repositories at upstream.

The issue: Signing keys added to /etc/apt/trusted.gpg{,.d} will be
trusted by apt(8) for every repository, including Debian's main package
repository.

I'm currently seeing a "trend" on the Internet where tutorials and
guides suggest to use "apt-key add" to install Matrix.org's package
repository archive key recklessly without any regard to apt-secure(8).
More so, Matrix.org links to one of these guides itself. [2] Riot.im
(related to the same people running Matrix.org) also suggests "apt-key
add". [3] Synapse 0.99.0's `INSTALL.md` guide suggests to download a key
and add it via apt-key(8) too, [4] while this package is also available
from Debian.

The solution: A keyring package, as suggested by apt-secure(8).

If the sysadmin wants to install from Matrix.org or Riot.im package
repositories (instead of Debian's), fine. Who am I to argue? At least I
I can make their life more convenient while hardening APT's security for
everyone, while Debian doesn't have packages available for every
upstream package yet.

I have made this package install an OpenPGP-armored keyring to
/usr/share/keyrings (instead of /etc/apt/trusted.gpg.d); I'm also using
a db_install(8) postinst script to ensure that the keys in question
don't show up in two keyrings at once.

I will be also looking to configure debconf(1) to ask if the user also
wants to install the appropriate sources.list(5) file for the Matrix.org
and/or Riot.im repository with signed-by option.

Packages similar to this one exist in Debian: ubuntu-keyring,
leap-archive-keyring, pkg-mozilla-archive-keyring, etc.

I will be looking for a sponsor. I know someone from the Matrix
Packaging Team at Debian whom I'll be asking to kindly sponsor this
package. If they refuse, I know where to ask.

Thanks for your attention.

[1]: https://wiki.debian.org/Matrix
[2]: https://matrix.org/docs/guides/installing-synapse
[3]: https://riot.im/desktop.html
[4]: https://github.com/matrix-org/synapse/blob/release-v0.99.0/INSTALL.md

#922155#10
Date:
2019-02-12 20:40:30 UTC
From:
To:
Quoting Jonas Smedegaard (2019-02-12 19:38:57)

...and now posting to the actual bugreport as well.

 - Jonas

#922155#15
Date:
2019-02-13 15:41:06 UTC
From:
To:
contrib area, although for comparison I should note leap-archive-keyring
has no rdepends, the keyring package is available from Debian's main
archive area and is valid for verifying package signatures from leap.se.
An example of a package from deb.leap.se is bitmask-core (which is not
available in Debian), and it's not in the contrib area in the leap.se
repository.

Maybe this is an error/bug in the leap-archive-keyring package, but it
does seem confusing. The other *-archive-keyring packages in Debian main
seem to be at least vaguely related to the Debian Project or its teams,
although they are all (with the exception of debian-archive-keyring)
meant to be used with third-party data sources (usually with APT).

As of yesterday, there is also this high-priority debconf(1) question
template in the matrix-archive-keyring package:

Template: matrix-archive-keyring/sources.list
Type: boolean
Default: false
_Description: Use APT data sources from Matrix.org?
 The Matrix.org Debian package repository distributes supplemental Matrix.org
 related packages intended to work with the Debian distribution, but require
 software software outside of the distribution to either build or function.
 These packages are digitally signed with keys from matrix-archive-keyring.
 .
 The Debian Project will be unable to directly support issues faced from using
 supplemental packages from this third-party repository. Packages from these
 APT sources may be non-conforming to the technical requirements set in the
 Debian Policy for the Debian distribution.

(Sorry if I fell under the assumption the package will be usable on
Debian only, and not derivative distributions with different names.)

Choosing "yes" here would obviously enable the contrib bits from the
default of "false". And as I said, packages from Matrix.org are already
in the contrib area (Section: contrib/*).

If this debconf(1) question makes it a hard-requirement of contrib
archive area, I could split the main parts (keyring) and the debconf(1)
question (sources.list) to seperate packages in main and contrib
sections respectively if that is more desirable.

I have currently set the package's "Section:" to "contrib/misc", in any
case.

What do you think?

#922155#20
Date:
2019-02-13 16:17:27 UTC
From:
To:
More important is the question if the system should /trust/ the keys.

IMHO installing a non-Debian keyring should *not* make the keys trusted
by APT by default (i.e. with the default answer if debconf is used).

ubuntu-keyring does that; most other keyrings sadly do not follow this.

Ansgar

#922155#25
Date:
2019-02-13 16:48:55 UTC
From:
To:
agreed.

file bugs?
------------------------------------------------------------------------------- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
#922155#30
Date:
2019-02-13 19:11:23 UTC
From:
To:
I've agreed, it's the problem I'm trying to solve with this
matrix-archive-keyring package. As said in the OP of Bug#922155 (ITP):

Since they are not in Dir::Etc::trusted or Dir::Etc::trustedparts, the
system won't trust the Matrix archive keys for APT by default (unless
the sysadmin has explicitly configured otherwise). By default,
sources.list(5) entries will need to specifically have

    [signed-by:/usr/share/keyrings/matrix-archive-keyring.gpg]

for APT to trust the data sources with this package.

To clarify, trust to keys in the matrix-archive-keyring package is all a
multi-step opt-in:

1. Using the keyring to manually verify packages from Matrix.org (yes)
2. Trusting the keyring for Matrix.org APT sources (default: no)
3. Trusting the keyring for any APT sources (default: hell no)

What the Internet says to do and what's currently happening in practice:

1. Using the repository key to manually verify packages from Matrix.org
2. Trusting the repository key for Matrix.org APT sources (yes, but...)
3. Trusting the repository key for any APT sources (yikes)

There is an additional low priority debconf(1) question in
matrix-archive-keyring if #3 should be true, but with sane default of
"false" and a warning about it being unnecessary in most cases.
Although it's so trivial, I'm open to removing this option altogether if
desired for lacking much real use.

The other debconf(1) question (#2) serves to answer if the user should
trust packages from the third-party repository. If you meant the
description of that question does not adequately ask if the user should
/trust/ packages from that repository (instead of just mentioning they
are supplemental packages which are not officially supported), would you
like me to change the description for the release to point out trust
more prominently? The alternative may be a seperate contrib package for
a sources.list source.

I'd suggest to file bugs. I've found many issues in the past few days.

#922155#35
Date:
2019-02-13 19:11:37 UTC
From:
To:
Quoting Linda Lapinlampi (2019-02-13 16:41:06)
extra mile in striving towards perfection in your packaging - Cool!

Please file bugreports for such other packages that you notice - should
be fine filing such bugs with high severity, since it is a violation of
a "must" in Debian Policy § 2.2.1.

Cool!

The addition of a debconf question - with default being false - seems an
excellent improvement over the package silently activating the keys (if
that was the previous behaviour - I am only guessing here).

I find the keys themselves to be the reason for the package belonging in
contrib, however - regardless of adding that nice debconf message.

Thanks a lot for your contribution to Debian!


 - Jonas

#922155#40
Date:
2019-02-15 17:16:01 UTC
From:
To:
A small update on this ITP:

The attached source is the current state of this package, UNRELEASED.
It's not fit for the Debian distribution just yet; but I'll allow eager
early testers to find the source from here.

+debian1 version should follow soon for sid, to be sponsored. I'll
polish it a little further and go through the Debian Policy once more to
check for any remaining issues before this.

#922155#45
Date:
2019-02-19 10:54:29 UTC
From:
To:
An update:

While I don't have a salsa.d.o account yet for hosting the source,
attached is the current state of this package UNRELEASED. Technically,
this might be ready for the experimental distribution tree right now?
I'd have to check, to make sure.

I've split the source package "matrix-archive-keyring" into two binary
packages: "matrix-archive-keyring" and "matrix-archive-config".

I'm excited to close this ITP bug with a +debian1 release in sid /
experimental soon. :)

#922155#50
Date:
2019-02-19 11:07:19 UTC
From:
To:
I’ll have a look soon.
#922155#55
Date:
2019-02-21 02:08:50 UTC
From:
To:
No big changes expected anymore, but I'm preparing 2015.12.09+ds.1 for
experimental or sid today. I'll probably upload to mentors.debian.net
then.

+debian was a misnomer, I forgot it should've been +ds.

#922155#60
Date:
2019-02-21 15:09:48 UTC
From:
To:
I believe this package is ready for Debian now. I'm looking for a
sponsor now; more details in a RFS issue to follow.

Thanks to the few people in the #debian-matrix:matrix.org room for
testing experimental pre-releases.