Re: apt-key says deprecated, but not saying what else to use

To: debian-user@lists.debian.org
Subject: Re: apt-key says deprecated, but not saying what else to use
From: Darac Marjal <mailinglist@darac.org.uk>
Date: Sun, 20 Jun 2021 13:11:45 +0100
Message-id: <[🔎] 5fc8634b-d000-bb8d-275f-329f95fdcddd@darac.org.uk>
In-reply-to: <[🔎] 22e2d584-e8f9-d0c0-a7f7-b323fbcb3b65@debianlists.mobilxpress.net>
References: <[🔎] 22e2d584-e8f9-d0c0-a7f7-b323fbcb3b65@debianlists.mobilxpress.net>

On 19/06/2021 21:07, Marco Möller wrote:
>
> Hello,
> Command apt-key and its man page say that apt-key is deprecated, but
> do not suggest an instead recommended tool. It is only mentioned that
> keys would now be organized in /etc/apt/trusted.gpg.d/  . But how
> should I manage the keys saved there, for instance how to update them,
> or what tool of the Debian distribution is managing them there for the
> apt functionality of the Debian OS?
> Guiding me to a properly up-to-date documentation about this topic
> would be welcome!
> Marco.

For some time, I've been using /etc/apt/trusted.gpg.d rather than using
apt-key. As I understand it, keys in apt-key are trusted to sign *any*
repository you pull from. That is, if you add a suspicious repository
and somehow they were able to push packages signed with their key to the
main debian repo servers, then you'd not be able to distinguish between
"signed by Debian" and "signed by attacker".

Instead, the preferred method is to put binary GPG keys into
/etc/apt/trusted.gpg.d (that is, you might need to run "gpg --dearmor"
if you download an ascii-armoured key). Files there can have any name
it's purely up to the system administrator what the names are, but it
makes sense that they indicate the repository they sign. Then, in
/etc/apt/sources.list.d/*.list, you need to write:

deb [signed-by=/etc/apt/trusted.gpg.d/somekey.gpg]
https://repo.attacker.com/ stable main

Now, only this repository trusts that key. If packages there are signed
by another key, verification fails. Similarly, if packages in another
repository are signed by that key, verification fails.

You ask about updating them. There is, as far as I know, no automatic
method for updating these keys, nor for automatically adding them right
now. That's because it's generally considered good practice to add the
key manually. You need to actively state that you trust this repository
on your system. So, for most repositories, that involves a web page
somewhere that says "This is our 'deb ... ' line and this is a link to
our public key." The key will usually be valid for several years, but if
it does start to fail, apt tools *will* tell you that the key has
expired, and that's time to go back and revisit the original site, and
see if they have a new key available.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: apt-key says deprecated, but not saying what else to use
  - From: Gene Heskett <gheskett@shentel.net>
- Re: apt-key says deprecated, but not saying what else to use
  - From: Marco Möller <talby@debianlists.mobilxpress.net>

References:
- apt-key says deprecated, but not saying what else to use
  - From: Marco Möller <talby@debianlists.mobilxpress.net>

Prev by Date: Re: How can I force "fsck -y" of a removable usb drive before mounting it?
Next by Date: Re: apt-key says deprecated, but not saying what else to use
Previous by thread: Re: Bug#990086: apt-key is deprecated in bullseye, how to manage keys instead
Next by thread: Re: apt-key says deprecated, but not saying what else to use
Index(es):
- Date
- Thread