[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#886473: apt-setup lacks a dependency on gnupg

On 5/21/18 3:06 PM, Cyril Brulebois wrote:
> Philipp Kern <pkern@debian.org> (2018-05-21):
>> So what's the current contract with apt? ASCII-armored files need to go
>> into .asc and binary files into .gpg? Is the right way to infer ASCII
>> armor to grep for the preamble?
> That would match my recollection of that issue (but don't trust that);
> maybe loop apt people in for a last check?

Adding deity@ to Cc. For context: This is about a debian-installer
script[0] that adds custom repositories to the final system.

I see at least the following options:

1) Run apt-install gnupg and use add-key.
2) Place the key file somewhere on the target file system and use
signed-by with the file path in sources.list.
3) Add the key file to /etc/apt/trusted.gpg.d.

I think in the latter two cases it's necessary to name the key fragments
.asc or .gpg depending on the content, correct? Right now we do not have
this distinction, so we'd need to somehow detect which one it is. Worst
case using grep for the ASCII armored preamble. Neither sources.list(5)
nor apt-secure(8) describe what the contract for /etc/apt/trusted.gpg.d
or other fragments actually is.

We also use fetch-url from debian-installer-utils at the moment, which
discards the source file name. I suppose we could use something like
${url%%://*} to strip the protocol (which fetch-url already does) and
then use basename somehow to figure out the name, but I feel that this
would be a little surprising.

Kind regards and thanks
Philipp Kern


Reply to: