deb822 sources.list -> Use the 'Signed-By' field?

To: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: deb822 sources.list -> Use the 'Signed-By' field?
From: Roland Clobus <rclobus@rclobus.nl>
Date: Tue, 2 Sep 2025 14:01:42 +0200
Message-id: <[🔎] edc8a2ba-34fe-4cdf-b728-37a6f49814f2@rclobus.nl>

Hello list,

Just before trixie was released, the warning about the deb822 format forsources.list was removed, now is the time to implement it properly forforky.

Recently a MR was prepared for live-build [1] (the generator of the liveimages), which makes me think about the 'Signed-By' field.

Should this field be filled explicitly with the value'/usr/share/keyrings/debian-archive-keyring.gpg', or better not?


As I understand it [2]:

"If no keyring files are specified the default is the trusted.gpgkeyring and all keyrings in the trusted.gpg.d/ directory"

So the most secure variant would be to fill the field, as only onekeyring will be considered.


With kind regards,
Roland Clobus
Maintainer for the live images

[1] https://salsa.debian.org/live-team/live-build/-/merge_requests/436
[2] https://manpages.debian.org/trixie/apt/sources.list.5.en.html

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: deb822 sources.list -> Use the 'Signed-By' field?
  - From: Guillem Jover <guillem@debian.org>
- Re: deb822 sources.list -> Use the 'Signed-By' field?
  - From: Aaron Rainbolt <arraybolt3@gmail.com>

Prev by Date: Re: RFC: Consequences of redesign of .deb signatures
Next by Date: Re: why package Signal in Debian? (was Re: Bug#1113746: ITP: node-noop6 -- No operation as a module using an arrow function)
Previous by thread: Re: why package Signal in Debian? (was Re: Bug#1113746: ITP: node-noop6 -- No operation as a module using an arrow function)
Next by thread: Re: deb822 sources.list -> Use the 'Signed-By' field?
Index(es):
- Date
- Thread