[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: repository OpenPGP key distribution?

On 2019-05-06 11:46, Paul Wise wrote:
To that end, I'd like to hear about derivatives' handling of apt
repository OpenPGP keys. Based on the discussion I'll update the census
template to get more info and try to work on improving the situation.

Hi Paul,
BunsenLabs uses the Debian Stable repository as-is, and adds one of our own for some additional packages (mostly config). I passed your enquiry on to our webmaster and got the following reply. If there is anything else we can clarify, please ask!

(start quote)

How would new users bootstrap trust of your keys?

* Installation of our derivative is possible using ISOs or installing packages
    on top of plain Debian.

  * ISO path:
    * ISO contains the current keys
    * ISO is downloaded using HTTPS (valid certificate) or BitTorrent
    * Users are encouraged to check the ISO file against a detached PGP
      signature (same signing key actually)
    * The public key is retrievable using HTTPS
    * Commands for verifying are listed on the install website

  * Package path:
    * Users retrieve the PGP key using HTTPS
    * Users check the fingerprint
    * Users import the key into their APT keyring

How do you handle updates to your keys?

  * We forked the debian-keyring package as bunsen-keyring. See

  * The package is included in the base ISO. The package is required by our
catch-all meta package if the user chose to install without our ISO image.

* Upon installation, the package ensures that the global APT keyring doesn't contain our keys. The package deploys our keys to /etc/apt/trusted.gpg.d.

  * Updates to the keys thusly happen through our signed repository.

  * The key is valid for 2 years and gets updated for another period before
expiration. If the user does not update his system within two years at least once, he has to manually download the current keyring package using HTTPS.

How do you handle replacement of your keys?

In the context of the bunsen-keyring package, replacement and updates are the
same thing (exchanging the key file in /etc/apt/trusted.gpg.d).

How would Debian users securely obtain your keys for use in chdist or
apt-venv? These allow running apt commands on alternative repositories
without adding those repos to your system configuration.

I'm not familiar with these tools. Since we have the following available:

  * Signing key at a HTTPS URL or keyring package at a HTTPS URL
  * Signed, standard APT repository
  * A catch-all meta package

and hard-depend on the standard Debian repositories, any tool that allows
specifying additional repositories, a key by URL and a package to install would
be suitable to deploy BL in a container or chroot (effectively being the
package-based install path from before).

BL was never meant to be bootstrapped without a Debian repo, so we do not offer
single-source repositories and depend on repository composition instead.
(end quote)

And of course we also welcome any feedback.

Reply to: