#990521 apt-secure points to apt-key which is deprecated

Package:
apt
Source:
apt
Description:
commandline package manager
Submitter:
Andreas Tille
Date:
2021-07-02 06:27:02 UTC
Severity:
minor
#990521#5
Date:
2021-07-01 10:29:40 UTC
From:
To:
Hi,

I'm trying to workout how to provide keys for third party archives.
Apt-secure(8) says:


       apt-key is the program that manages the list of keys used by APT to trust repositories. It can be used to add or remove keys as well as list the trusted keys. Limiting which
       key(s) are able to sign which archive is possible via the Signed-By in sources.list(5).


However, apt-key is depredated and states this clearly in apt-key(8).

So the user gets no help by the apt-secure(8) manpage and is guided
into the wrong direction.

Kind regards

    Andreas.

#990521#10
Date:
2021-07-01 11:51:22 UTC
From:
To:
Hi,

I'm running a (quite) up to date testing and recently I stumbled upon

  $ sudo apt update
  ...
  Err:8 http://fam-tille.de/debian local InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
  ...
  W: GPG error: http://fam-tille.de/debian local InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
  E: The repository 'http://fam-tille.de/debian local InRelease' is not signed.
  N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  N: See apt-secure(8) manpage for repository creation and user configuration details.


I have some packages for my own use (I mean there is no reason to expect
that someone wants to pull things from there) on my private web page
which I signed with my Debian key.  This was working up to recently with
apt-key.  Since this was not working any more I tried to follow the
advise given in the error message and started reading apt-secure(8)
where I just found a hint to apt-key which is deprecated.

IMHO users who are using third party repositories will get a broken
system after upgrading to Debian 11 and there is no helpful hint given
how to fix it.

BTW, I did some

   apt-key del 578A0494D1C646D1

added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg and added an
according

   [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg]

option to the sources.list line ... and it does not yet work.  So I
think it is critical to point to a solution that *really* works.

Due to potential breaking user systems I wonder if someone agrees
with bumping the severity of the bug to serious.

Kind regards

     Andreas.

#990521#15
Date:
2021-07-01 12:02:43 UTC
From:
To:
Control: severity -1 minor

There have been no changes on our side.

OK

So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg
instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg?

Did you read the apt-key(8) manual page?

       apt-key supports only the binary OpenPGP format (also known as
       "GPG key public ring") in files with the "gpg" extension, not the
       keybox database format introduced in newer gpg(1) versions
       as default for keyring files. Binary keyring files
       intended to be used with any apt version should therefore
       always be created with gpg --export.

This problem happened to a lot of people, ever since gpg 2 became
the default which switched --keyring to generate not keyrings, but
keybox databases.

Well, it should if you have a proper GPG keyring file, and not a
keybox file.

I disagree, and think this bug is a minor documentation issue,
your issue here is likely outside the computer.

#990521#22
Date:
2021-07-01 12:18:17 UTC
From:
To:
Hi Julian,

That's strange.

I admit the problem that it did not worked yet was just on my end - I
simply copied over the wrong key.  Sorry for that part of the noise.

... the format was OK, just an old key. (Hiding behind some stone.)

I stick to the opinion that apt-secure pointing to apt-key which
is deprecated is simply the wrong thing.  I would love to see some
kind of example like

   [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg]

directly and I think this should become part of Debian 11 release.  But
I will not play severity ping-pong - just stating my very personal
opinion about some direct help in our docs.  IMHO this is specifically
important since *lots* of links that can be found by your favourite
search engine are advertising the use of apt-key.

Kind regards

     Andreas.

#990521#27
Date:
2021-07-01 12:27:31 UTC
From:
To:
Yes, the manpages need some reshuffling. But we're about to enter
hard freeze, and I don't want to end up breaking the translations
at this point and do a big reshuffling and rewrite of the docs.

You don't _need_ signed-by if you place files in trusted.gpg.d,
everything in trusted.gpg.d is trusted by any source lacking
a signed-by.

I don't want to advertise signed-by=. We should aim to get deb822 format
supported in python-apt next cycle, and then advertise a consistent use
of deb822 .sources files.

Including, but not limited to, having d-i create
sources.list.d/<vendor>.sources instead of sources.list.

It just looks bad in the legacy file format.

I'm still concerned having signed-by leads people to adding sources
they trust less, only to then be rootkitted by evil maintainer scripts
of packages in that repo.

#990521#32
Date:
2021-07-01 12:55:22 UTC
From:
To:
Fair point.

OK, I lived under the impression that this is really needed
(by seeking on the web for non-apt-key using docs.)  If this is
the case I absolutely agree with you.

Thanks a lot for the clarification.  I agree now with the minor
issue statement.

Kind regards

     Andreas.

#990521#37
Date:
2021-07-02 06:23:56 UTC
From:
To:
Hi Andreas

Move it out of /etc/apt/trusted.gpg.d which is the equivalent of
using «apt-key add». This works for me:

deb [arch=amd64 signed-by=/usr/local/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable

Cheers!
Alex