Re: Facilitating external repositories
On Sun, 2019-11-03 at 11:04:01 -0800, Russ Allbery wrote:
> Timo Weingärtner <tiwe@debian.org> writes:
> > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key
> > is in there its owner can impersonate the official debian repos for
> > default setups.¹ Please use some other path (such as
> > /var/lib/extrepo/keyrings/) for the keyrings and connect it with
> > "Signed-By:" [1].
>
> > I just changed my /etc/apt/sources.list.d/debian.sources to have:
> > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
>
> I have a personal repository and a corresponding eyrie-archive-keyring
> package to install the trusted keys. Is there a best practice document
> somewhere for how I should set this up?
I don't think there is. The closest seems to be
<https://wiki.debian.org/DebianRepository/UseThirdParty>, which is not
covering acrhive-keyring packages. Personally I think I've been
picking up this things from following closely apt's development and
having to deal with a couple of these archive-keyring packages.
> I'm currently installing keyrings
> in /etc/apt/trusted.gpg.d because I thought that was how *-archive-keyring
> packages were supposed to work, but this area seems a bit underdocumented
> (or at least I've not found the right documentation).
The official archive-keyring packages that use these, I think it's mostly
for backwards compatibility reasons.
I'd say best practice is to ship keyrings under /usr/share/keyrings/,
and not under /etc/apt/trusted.gpg.d/. Split the keys into keyrings
that will not give more access than necessary. Use «Signed-By:» if you
ship source list files. And personally I ship those in deb822 format,
because they are easier to read and deal with automatically, and make
it easy to disable them after the fact, or even ship them disabled by
default with the «Enabled: no» field.
Thanks,
Guillem
Reply to: