Re: Add a project's GPG key on Debian Trixie

Debian has alredy bricked so many of my servers by requiring in aptitude dist-upgrade GPG auths that had not even been installed a decade ago making me wonder now how much of this could be mitigated or prevented by some simple dpkg --install or gpg --recv-keys b4hand? [And does FreeBSD still do text/plain trusting a11y here?]

Op vr 26 dec 2025 om 10:59 schreef didier gaumet <didier.gaumet@gmail.com>:

Le 26/12/2025 à 10:31, Nicolas Kovacs a écrit :
[...]
> What's the orthodox way of adding a project's GPG key to Debian ?
> Unfortunately, the documentation I found online seems to be either
> contradictory, obsolete or downright wrong.
[...]
Hello Nicolas,

I have never done this but I suppose you use the signed-by option in the
sources.list (old format) ou debian.sources (new format) file.
Like this (excerpt form the sources.list manpage):
[...]
As an example, the sources for your distribution could look like
this in the deprecated one-line-style format:

deb
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]
http://deb.debian.org/debian trixie main contrib non-free non-free-firmware
deb
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]
http://deb.debian.org/debian trixie-updates main contrib non-free
non-free-firmware
deb
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]
http://deb.debian.org/debian-security trixie-security main contrib
non-free non-free-firmware

or like this in deb822 style format:

Types: deb
URIs: http://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb
URIs: http://deb.debian.org/debian-security
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
[...]