[I'm not subscribed to this list, so please CC me in replies] Hi, Recently I found out that apt-key is deprecated (and getting remove in Bookworm). I also use the well-known construct of "(cat|wget) <key> | apt-key add -" in 'my' project at https://github.com/debian-pi/raspbian-ua-netinst/blob/v1.1.3/scripts/etc/init.d/rcS#L1354 and also on #L1385. I went looking for a replacement... I found https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html and not 'hindered' by any knowledge, looked sane. When asked for confirmation there appears to be various errors in it, but most likely due to platform limitations, wasn't told what and where. As a ML is a more suitable platform, I'm writing this msg. That article is just an example. My search returned many more results, but most people aren't equipped to assert the quality of them. Looking for a more authoritative and thereby (hopefully) better source, I arrived at wiki.debian.org. While https://wiki.debian.org/DebianRepository/UseThirdParty looks good *to me*, but https://wiki.debian.org/SecureApt OTOH mentions apt-key quite a lot. Even though the last modification date is recent, it's contents seems quite old (Debian archive keys are now 4096 bit). If you read/scroll to the very end of that page, you see this: "Note: apt-key is in the process of being deprecated, at least for the managing of keys. Discussion in Debian bug 851774 ." That bug also references bug 853858 and contain the following bits by Daniel Kahn Gillmor (who is also a DD): For Debian 8 ("jessie"), you should place these keys in binary form with a name that matches the shell glob /etc/apt/trusted.gpg.d/*.gpg for Debian 9 ("stretch") and later, you should place these keys (in binary form) someplace within /usr/local/share/keyrings/ and add a "Signed-By:" option to the relevant apt sources (see sources.list(5)). But Julian (jak) indicated that /usr/ is the wrong place for those keys. Apparently one can add binary keys (preferred) to APT, but also ASCII armored ones. I got the impression that the file extension is important (.gpg vs .asc), but I'm not sure of that. Both http://archive.raspberrypi.org/debian/raspberrypi.gpg.key and https://archive.raspbian.org/raspbian.public.key end in .key. So I don't know where to place them, how/if they should be (re-)named and whether some other action is needed. I saw "apt-get install <keyname>" at https://wiki.debian.org/DebianRepository/UseThirdParty#Complete_example where it didn't seem that <keyname> was a package name, but the name of the gpg file without the extension. As you can guess, I'm thoroughly confused as to how I should replace those "apt-key add" statements with a/the correct one. It would be very welcome if this is properly documented somewhere so that I and others can do it correctly (and securely) and point others to it as well. Can you clear things up for me (and others)? Cheers, Diederik PS1: I have been running Debian (Sid) for 10+ years. So while I'm clueless wrt this issue, I'm not clueless wrt Debian in general. PS2: While I use GPG (mostly for signing), don't assume I have a good understanding of it. So if it's relevant, kindly "Eli 5" it. PS3: Those RPi related keys should be considered an example. My plan is to update 'my' project to install (pure) Debian, but afaic that's irrelevant.
Attachment:
signature.asc
Description: This is a digitally signed message part.