Bug#1109469: Regression in apt 3.0

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1109469: Regression in apt 3.0
From: Sven Mueller <smu@google.com>
Date: Fri, 18 Jul 2025 15:22:25 +0200
Message-id: <[🔎] CAH-QrX7L_E76UPKG48iW41LND32UacxYuso4+jo1MmkD1QHb7g@mail.gmail.com>
Reply-to: Sven Mueller <smu@google.com>, 1109469@bugs.debian.org

Source: apt
Version: 3.0.3

Hi.

We had this working in apt for years, in apt.conf:

Acquire::https::some.host::SslCert
"pkcs11:token=sometoken;object-type=cert;object=someobject;pin-source=file:/dev/null";
Acquire::https::some.host::SslKey
"pkcs11:token=sometoken;object-type=private;object=someobject;pin-source=file:/dev/null";

Where sometoken refers to an access mechanism pkcs11 understands and
someobject identifies the actual credentials (cert and key under the
same name, but differentiated via the type).  The relevant credential
is hardware-backed, so just giving a filename wouldn't work.

This broke with apt 3.0 - probably with 2.9.19, but I didn't cross-check.

Are you aware of any way to achieve this with current apt? Could
support for such a configuration be added back?

Kind regards,
Sven

Reply to:

Prev by Date: Bug#1109196: apt: provide a way to automatically mark 'auto' all packages that don't need to stay manual
Next by Date: Bug#1109583: please use SRV records to follow instead of using them as overwrites
Previous by thread: Quote for itinerary
Next by thread: Bug#1109583: please use SRV records to follow instead of using them as overwrites
Index(es):
- Date
- Thread