Bug#1006542: marked as done (apt: Please provide a script to export keys from trusted.gpg and reference it in apt-key(8))

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 1 Mar 2022 12:16:33 +0100
with message-id <20220301121347.GA89125@debian.org>
and subject line Re: Bug#1006542: apt: Please provide a script to export keys from trusted.gpg and reference it in apt-key(8)
has caused the Debian Bug report #1006542,
regarding apt: Please provide a script to export keys from trusted.gpg and reference it in apt-key(8)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1006542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006542
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt: Please provide a script to export keys from trusted.gpg and reference it in apt-key(8)
• From: Eric Valette <eric.valette@free.fr>
• Date: Sun, 27 Feb 2022 11:20:20 +0100
• Message-id: <164595722075.4945.9561665393877436236.reportbug@localhost>

Package: apt
Version: 2.4.0
Severity: wishlist

Since new version I have warning about keys that have been stored in trusted.gpg file.
I do see the export or exportall command in apt-key (8) man page but wonder how
to automate the extraction and what is the best storage replacement.

It would be fine to provide a script that does the conversion if you intent to really suppress
the trusted.gpg support



-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (no /etc/apt/preferences.d/* present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- (/etc/apt/sources.list.d/cisofy-lynis.list present, but not submitted) --


-- /etc/apt/sources.list.d/google-chrome.list --

deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main

-- (/etc/apt/sources.list.d/orange-repo-microsoft-teams.list present, but not submitted) --


-- (/etc/apt/sources.list.d/orange-repo-wire.list present, but not submitted) --


-- (/etc/apt/sources.list.d/orange-repo-yourdev-gruik.list present, but not submitted) --


-- (/etc/apt/sources.list.d/orange-repo-yourdev.list present, but not submitted) --


-- (/etc/apt/sources.list.d/signal-xenial.list present, but not submitted) --


-- (/etc/apt/sources.list.d/skype-stable.list present, but not submitted) --


-- (/etc/apt/sources.list.d/skype-unstable.list present, but not submitted) --


-- (/etc/apt/sources.list.d/slack.list present, but not submitted) --


-- (/etc/apt/sources.list.d/sublime-text.list present, but not submitted) --


-- (/etc/apt/sources.list.d/vscode.list present, but not submitted) --


-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.102 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.118
ii  debian-archive-keyring  2021.1.1
ii  gpgv                    2.3.1-1
ii  gpgv2                   2.3.1-1
ii  libapt-pkg6.0           2.4.0
ii  libc6                   2.34-0experimental3
ii  libgcc-s1               12-20220222-1
ii  libgnutls30             3.7.3-4+b1
ii  libseccomp2             2.5.3-2
ii  libstdc++6              12-20220222-1
ii  libsystemd0             250.3-2

Versions of packages apt recommends:
ii  ca-certificates  20211016

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.13-3
ii  dpkg-dev        1.21.1
ii  gnupg           2.3.1-1
ii  powermgmt-base  1.36
ii  synaptic        0.90.2+b1

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Eric Valette <eric.valette@free.fr>, 1006542-close@bugs.debian.org
• Subject: Re: Bug#1006542: apt: Please provide a script to export keys from trusted.gpg and reference it in apt-key(8)
• From: Julian Andres Klode <jak@debian.org>
• Date: Tue, 1 Mar 2022 12:16:33 +0100
• Message-id: <20220301121347.GA89125@debian.org>
• In-reply-to: <164595722075.4945.9561665393877436236.reportbug@localhost>
• References: <164595722075.4945.9561665393877436236.reportbug@localhost>

On Sun, Feb 27, 2022 at 11:20:20AM +0100, Eric Valette wrote:
> Package: apt
> Version: 2.4.0
> Severity: wishlist
> 
> Since new version I have warning about keys that have been stored in trusted.gpg file.
> I do see the export or exportall command in apt-key (8) man page but wonder how
> to automate the extraction and what is the best storage replacement.
> 

Use apt-key export to export individual keys, store them
in /etc/apt/keyrings, and then use Signed-By in sources.list.

In general though, I expect keys are not managed by users, but debs,
whether archive keyrings or proprietary debs like chrome that add their
own key and this is a warning for them, not the end user.

> It would be fine to provide a script that does the conversion if you intent to really suppress
> the trusted.gpg support

That would not be appropriate. Doing this properly is a manual job.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---