Hi,
I'm trying to workout how to provide keys for third party archives.
Apt-secure(8) says:
apt-key is the program that manages the list of keys used by APT to trust repositories. It can be used to add or remove keys as well as list the trusted keys. Limiting which
key(s) are able to sign which archive is possible via the Signed-By in sources.list(5).
However, apt-key is depredated and states this clearly in apt-key(8).
So the user gets no help by the apt-secure(8) manpage and is guided
into the wrong direction.
Kind regards
Andreas.
Hi,
I'm running a (quite) up to date testing and recently I stumbled upon
$ sudo apt update
...
Err:8 http://fam-tille.de/debian local InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
...
W: GPG error: http://fam-tille.de/debian local InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
E: The repository 'http://fam-tille.de/debian local InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I have some packages for my own use (I mean there is no reason to expect
that someone wants to pull things from there) on my private web page
which I signed with my Debian key. This was working up to recently with
apt-key. Since this was not working any more I tried to follow the
advise given in the error message and started reading apt-secure(8)
where I just found a hint to apt-key which is deprecated.
IMHO users who are using third party repositories will get a broken
system after upgrading to Debian 11 and there is no helpful hint given
how to fix it.
BTW, I did some
apt-key del 578A0494D1C646D1
added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg and added an
according
[signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg]
option to the sources.list line ... and it does not yet work. So I
think it is critical to point to a solution that *really* works.
Due to potential breaking user systems I wonder if someone agrees
with bumping the severity of the bug to serious.
Kind regards
Andreas.
Control: severity -1 minor
There have been no changes on our side.
OK
So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg
instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg?
Did you read the apt-key(8) manual page?
apt-key supports only the binary OpenPGP format (also known as
"GPG key public ring") in files with the "gpg" extension, not the
keybox database format introduced in newer gpg(1) versions
as default for keyring files. Binary keyring files
intended to be used with any apt version should therefore
always be created with gpg --export.
This problem happened to a lot of people, ever since gpg 2 became
the default which switched --keyring to generate not keyrings, but
keybox databases.
Well, it should if you have a proper GPG keyring file, and not a
keybox file.
I disagree, and think this bug is a minor documentation issue,
your issue here is likely outside the computer.
Hi Julian,
That's strange.
I admit the problem that it did not worked yet was just on my end - I
simply copied over the wrong key. Sorry for that part of the noise.
... the format was OK, just an old key. (Hiding behind some stone.)
I stick to the opinion that apt-secure pointing to apt-key which
is deprecated is simply the wrong thing. I would love to see some
kind of example like
[signed-by=/etc/apt/trusted.gpg.d/your-key.gpg]
directly and I think this should become part of Debian 11 release. But
I will not play severity ping-pong - just stating my very personal
opinion about some direct help in our docs. IMHO this is specifically
important since *lots* of links that can be found by your favourite
search engine are advertising the use of apt-key.
Kind regards
Andreas.
Yes, the manpages need some reshuffling. But we're about to enter hard freeze, and I don't want to end up breaking the translations at this point and do a big reshuffling and rewrite of the docs. You don't _need_ signed-by if you place files in trusted.gpg.d, everything in trusted.gpg.d is trusted by any source lacking a signed-by. I don't want to advertise signed-by=. We should aim to get deb822 format supported in python-apt next cycle, and then advertise a consistent use of deb822 .sources files. Including, but not limited to, having d-i create sources.list.d/<vendor>.sources instead of sources.list. It just looks bad in the legacy file format. I'm still concerned having signed-by leads people to adding sources they trust less, only to then be rootkitted by evil maintainer scripts of packages in that repo.
Fair point.
OK, I lived under the impression that this is really needed
(by seeking on the web for non-apt-key using docs.) If this is
the case I absolutely agree with you.
Thanks a lot for the clarification. I agree now with the minor
issue statement.
Kind regards
Andreas.
Hi Andreas Move it out of /etc/apt/trusted.gpg.d which is the equivalent of using «apt-key add». This works for me: deb [arch=amd64 signed-by=/usr/local/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable Cheers! Alex