--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: Please provide a script to export keys from trusted.gpg and reference it in apt-key(8)
- From: Eric Valette <eric.valette@free.fr>
- Date: Sun, 27 Feb 2022 11:20:20 +0100
- Message-id: <164595722075.4945.9561665393877436236.reportbug@localhost>
Package: apt
Version: 2.4.0
Severity: wishlist
Since new version I have warning about keys that have been stored in trusted.gpg file.
I do see the export or exportall command in apt-key (8) man page but wonder how
to automate the extraction and what is the best storage replacement.
It would be fine to provide a script that does the conversion if you intent to really suppress
the trusted.gpg support
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (no /etc/apt/preferences.d/* present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- (/etc/apt/sources.list.d/cisofy-lynis.list present, but not submitted) --
-- /etc/apt/sources.list.d/google-chrome.list --
deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
-- (/etc/apt/sources.list.d/orange-repo-microsoft-teams.list present, but not submitted) --
-- (/etc/apt/sources.list.d/orange-repo-wire.list present, but not submitted) --
-- (/etc/apt/sources.list.d/orange-repo-yourdev-gruik.list present, but not submitted) --
-- (/etc/apt/sources.list.d/orange-repo-yourdev.list present, but not submitted) --
-- (/etc/apt/sources.list.d/signal-xenial.list present, but not submitted) --
-- (/etc/apt/sources.list.d/skype-stable.list present, but not submitted) --
-- (/etc/apt/sources.list.d/skype-unstable.list present, but not submitted) --
-- (/etc/apt/sources.list.d/slack.list present, but not submitted) --
-- (/etc/apt/sources.list.d/sublime-text.list present, but not submitted) --
-- (/etc/apt/sources.list.d/vscode.list present, but not submitted) --
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.102 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii adduser 3.118
ii debian-archive-keyring 2021.1.1
ii gpgv 2.3.1-1
ii gpgv2 2.3.1-1
ii libapt-pkg6.0 2.4.0
ii libc6 2.34-0experimental3
ii libgcc-s1 12-20220222-1
ii libgnutls30 3.7.3-4+b1
ii libseccomp2 2.5.3-2
ii libstdc++6 12-20220222-1
ii libsystemd0 250.3-2
Versions of packages apt recommends:
ii ca-certificates 20211016
Versions of packages apt suggests:
pn apt-doc <none>
ii aptitude 0.8.13-3
ii dpkg-dev 1.21.1
ii gnupg 2.3.1-1
ii powermgmt-base 1.36
ii synaptic 0.90.2+b1
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: Eric Valette <eric.valette@free.fr>, 1006542-close@bugs.debian.org
- Subject: Re: Bug#1006542: apt: Please provide a script to export keys from trusted.gpg and reference it in apt-key(8)
- From: Julian Andres Klode <jak@debian.org>
- Date: Tue, 1 Mar 2022 12:16:33 +0100
- Message-id: <20220301121347.GA89125@debian.org>
- In-reply-to: <164595722075.4945.9561665393877436236.reportbug@localhost>
- References: <164595722075.4945.9561665393877436236.reportbug@localhost>
On Sun, Feb 27, 2022 at 11:20:20AM +0100, Eric Valette wrote:
> Package: apt
> Version: 2.4.0
> Severity: wishlist
>
> Since new version I have warning about keys that have been stored in trusted.gpg file.
> I do see the export or exportall command in apt-key (8) man page but wonder how
> to automate the extraction and what is the best storage replacement.
>
Use apt-key export to export individual keys, store them
in /etc/apt/keyrings, and then use Signed-By in sources.list.
In general though, I expect keys are not managed by users, but debs,
whether archive keyrings or proprietary debs like chrome that add their
own key and this is a warning for them, not the end user.
> It would be fine to provide a script that does the conversion if you intent to really suppress
> the trusted.gpg support
That would not be appropriate. Doing this properly is a manual job.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--- End Message ---