Re: request for advice, migrating raspbian-archive-keyring package.

[MichaIng <micha@dietpi.com>]

Hi Peter,

yes, the convention would be to store or link the distribution's APT 
key(s) to /etc/apt/trusted.gpg.d. From Bullseye on, the APT version also 
supports ASCII-armored format natively, if you store keys/keyrings with 
.asc file ending. Debian itself does this since Bookworm.

To remove the key from legacy /etc/apt/trusted.gpg only, use the 
--keyring option:
apt-key --keyring /etc/apt/trusted.gpg del '<keyID>'

This operation throws that "move to trusted.gpg.d" warning as well once, 
even that is what we are about to do. Not sure whether it can be 
suppressed without STDERR.

If the legacy keyring file is empty, it could be removed entirely:
[[ $(apt-key --keyring /etc/apt/trusted.gpg list 2> /dev/null) ]] || rm 
/etc/apt/trusted.gpg

Best regards,

Micha

Am 13.08.2024 um 04:27 schrieb Peter Green:
> I made the raspbian-archive-keyring package years ago, IIRC I started 
> from hacking up
> the debian-ports-archive-keyring package but I don't really remember. 
> Either way
> it uses apt-key which now causes deprecation warnings, which my users 
> are now
> complaining about.
>
> Can anyone advise on the best way to migrate this to the modern way of 
> doing
> things, while minimising the risk of breakage?
>
> I'd guess I need to install the key in the new place as part of the package
> and remove the key from the old place using apt-key in a maintainer script?
> is that correct? does using apt-key to remove the key from the old place
> carry any risk of accidently removing it from the new place too?