[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

deprecating apt-key (was: Re: Key collisions in the wild)


Quoting Paul Wise (2016-08-10 17:32:15)
> On Wed, Aug 10, 2016 at 6:09 PM, Jakub Wilk wrote:
> > (And there's probably more that this simplistic search doesn't catch...)
> apt-key usage for instance:
> https://codesearch.debian.net/search?q=\bapt-key\b.*--recv%28-keys%3F%29%3F\s%2B%280x%29%3F[0-9a-fA-F]{8}\b

these should be fixed anyways because "the programatic usage [of apt-key] is
strongly discouraged" (according to the apt-key man page and apt developers on
IRC). I recently removed apt-key usage from sbuild after having consulted with
the apt maintainers. They explained that they mean something even stronger than
deprecation by writing "strongly discouraged".

Instead, keys should directly be placed in /etc/apt/trusted.gpg.d in the base64
encoded format. Converting keys from armored ASCII format to the base64 encoded
format (the format that gpgv understands) can even be done from a shell script
without gnupg [1]:

    awk '/^$/{ x = 1; } /^[^=-]/{ if (x) { print $0; } ; }' | base64 -d

Or with gnupg:

    gpg --dearmor pubkey.asc

A nice thing about the latter gpg command is, that it also does the right thing
on keys that already are dearmored, so no detection of key format is needed.


cheers, josch

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831409#67

Attachment: signature.asc
Description: signature

Reply to: