[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

deb822 sources.list -> Use the 'Signed-By' field?



Hello list,

Just before trixie was released, the warning about the deb822 format for sources.list was removed, now is the time to implement it properly for forky.

Recently a MR was prepared for live-build [1] (the generator of the live images), which makes me think about the 'Signed-By' field.

Should this field be filled explicitly with the value '/usr/share/keyrings/debian-archive-keyring.gpg', or better not?

As I understand it [2]:
"If no keyring files are specified the default is the trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory"

So the most secure variant would be to fill the field, as only one keyring will be considered.

With kind regards,
Roland Clobus
Maintainer for the live images

[1] https://salsa.debian.org/live-team/live-build/-/merge_requests/436
[2] https://manpages.debian.org/trixie/apt/sources.list.5.en.html

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


Reply to: