Hi ? ??--
On Wed 2017-02-01 10:20:35 -0500, ? ?? wrote:
> # instruction from virtualbox.org
> root@debian:~# wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
> gpg: Warning: 1 key skipped due to its large size
> gpg: Warning: 1 key skipped due to its large size
> OK
> root@debian:~#
>
> # instruction from scala-sbt.org
> root@debian:~# sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2EE0EA64E40A89B84B2DF73499E82A75642AC823
> Executing: /tmp/apt-key-gpghome.gNgechPNd5/gpg.1.sh --keyserver
> hkp://keyserver.ubuntu.com:80 --recv
> 2EE0EA64E40A89B84B2DF73499E82A75642AC823
> gpg: key 99E82A75642AC823: public key "[User ID not found]" imported
> gpg: Total number processed: 1
> gpg: imported: 1
> gpg: Warning: 1 key skipped due to its large size
> gpg: Warning: 1 key skipped due to its large size
> root@debian:~#
These are both bad instructions, and should not be used. Remote
repositories should be added by fetching a binary key and placing it in
the local file system.
for Debian 9 ("stretch") and later, you should place these keys (in
binary form) someplace within /usr/local/share/keyrings/ and add a
"Signed-By:" option to the relevant apt sources (see sources.list(5)).
This makes it so that the special key is only authorized for the
specific repository.
For Debian 8 ("jessie"), you should place these keys in binary form with
a name that matches the shell glob /etc/apt/trusted.gpg.d/*.gpg
Feel free to tell those upstreams that they should change their
instructions.
this is less isolated than the recommended practice for debian 9, but
you still should not be using "apt-key add" or (shudder) "apt-key adv",
which is even worse.
--dkg
Attachment:
signature.asc
Description: PGP signature