On Thu, Apr 08, 2021 at 11:01:26PM +0200, Bastian Blank wrote:
> > In order for that to work, though, the
> > key needs to be available in *binary* format. So we still do need gpg
> > to do the conversion.
>
> No, apt does not require a binary key file. Just give it the correct
> name, ending with .asc.
Indeed.
So, the "right way" to accomplish the installation of a third-party
apt repository (e.g. for Docker) is with user-data like the following:
#cloud-config
write_files:
path: /usr/share/keyrings/docker.asc
owner: root:root
permissions: '0644'
content: |
---- BEGIN PGP PUBLIC KEY BLOCK -----
....
apt:
sources:
docker.list:
source: "deb [signed-by=/usr/share/keyrings/docker.asc] https://download.docker.com/linux/debian buster stable"
packages:
- docker-ce
(note that I haven't actually tried this, but it looks right, and should
work with cloud-init in buster today)
IMO cloud-init's handling of apt keys should probably just be a frontend
to this functionality.
noah
Attachment:
signature.asc
Description: PGP signature