Re: Facilitating external repositories
Timo Weingärtner <tiwe@debian.org> writes:
> Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key
> is in there its owner can impersonate the official debian repos for
> default setups.¹ Please use some other path (such as
> /var/lib/extrepo/keyrings/) for the keyrings and connect it with
> "Signed-By:" [1].
> I just changed my /etc/apt/sources.list.d/debian.sources to have:
> Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
I have a personal repository and a corresponding eyrie-archive-keyring
package to install the trusted keys. Is there a best practice document
somewhere for how I should set this up? I'm currently installing keyrings
in /etc/apt/trusted.gpg.d because I thought that was how *-archive-keyring
packages were supposed to work, but this area seems a bit underdocumented
(or at least I've not found the right documentation).
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: