[I'm not subscribed to this list, so please CC me in replies]
Hi,
Recently I found out that apt-key is deprecated (and getting remove in Bookworm).
I also use the well-known construct of "(cat|wget) <key> | apt-key add -" in 'my' project at
https://github.com/debian-pi/raspbian-ua-netinst/blob/v1.1.3/scripts/etc/init.d/rcS#L1354
and also on #L1385. I went looking for a replacement...
I found https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
and not 'hindered' by any knowledge, looked sane. When asked for confirmation there
appears to be various errors in it, but most likely due to platform limitations, wasn't told
what and where. As a ML is a more suitable platform, I'm writing this msg.
That article is just an example. My search returned many more results, but most people
aren't equipped to assert the quality of them. Looking for a more authoritative and
thereby (hopefully) better source, I arrived at wiki.debian.org.
While https://wiki.debian.org/DebianRepository/UseThirdParty looks good *to me*,
but https://wiki.debian.org/SecureApt OTOH mentions apt-key quite a lot. Even though
the last modification date is recent, it's contents seems quite old (Debian archive keys
are now 4096 bit).
If you read/scroll to the very end of that page, you see this:
"Note: apt-key is in the process of being deprecated, at least for the managing of keys.
Discussion in Debian bug 851774 ."
That bug also references bug 853858 and contain the following bits by Daniel Kahn
Gillmor (who is also a DD):
For Debian 8 ("jessie"), you should place these keys in binary form with
a name that matches the shell glob /etc/apt/trusted.gpg.d/*.gpg
for Debian 9 ("stretch") and later, you should place these keys (in
binary form) someplace within /usr/local/share/keyrings/ and add a
"Signed-By:" option to the relevant apt sources (see sources.list(5)).
But Julian (jak) indicated that /usr/ is the wrong place for those keys.
Apparently one can add binary keys (preferred) to APT, but also ASCII armored
ones. I got the impression that the file extension is important (.gpg vs .asc), but I'm
not sure of that.
Both http://archive.raspberrypi.org/debian/raspberrypi.gpg.key and
https://archive.raspbian.org/raspbian.public.key end in .key.
So I don't know where to place them, how/if they should be (re-)named and
whether some other action is needed. I saw "apt-get install <keyname>" at
https://wiki.debian.org/DebianRepository/UseThirdParty#Complete_example
where it didn't seem that <keyname> was a package name, but the name of the
gpg file without the extension.
As you can guess, I'm thoroughly confused as to how I should replace those
"apt-key add" statements with a/the correct one.
It would be very welcome if this is properly documented somewhere so that
I and others can do it correctly (and securely) and point others to it as well.
Can you clear things up for me (and others)?
Cheers,
Diederik
PS1: I have been running Debian (Sid) for 10+ years. So while I'm clueless
wrt this issue, I'm not clueless wrt Debian in general.
PS2: While I use GPG (mostly for signing), don't assume I have a good
understanding of it. So if it's relevant, kindly "Eli 5" it.
PS3: Those RPi related keys should be considered an example. My plan
is to update 'my' project to install (pure) Debian, but afaic that's irrelevant.Attachment:
signature.asc
Description: This is a digitally signed message part.