Bug#1103625: modernize-sources: use .pgp file extension for debian-archive-keyring
On Wed, Aug 27, 2025 at 01:41:19PM +0200, Guillem Jover wrote:
> Hi!
>
> [ I discussed this with Julian on IRC some time ago, but forgot to
> forward that here, doing that now, and this report was used as a
> reference somewhere else, so better to clarify things here. ]
>
> On Sat, 2025-04-19 at 21:02:47 +0200, Julian Andres Klode wrote:
> > On April 19, 2025 8:30:19 PM GMT+02:00, "Christian T. Steigies" <cts@debian.org> wrote:
> > >Package: apt
> > >Version: 3.0.0
> > >Severity: wishlist
>
> > >an upgrade offered to modernize my sources, so I did.
> > >Just seconds before I saw the message from the upgraded
> > >debian-archive-keyring:
> > > Certificate (keyring) files in /usr/share/keyrings now have the
> > > file extension .pgp, rather than .gpg.
> > >Shouldn't a just modernized source use the new file extension as well?
>
> > So the .pgp extension is reserved for PGP messages, not keys.
> >
> > This needs to be resolved by the IETF WG, and the change in the
> > keyring package was premature.
> >
> > The only file extension for keys is .asc for armored ones.
>
> I think that to keep using .gpg is worse, because I don't think there's
> even a MIME type for .gpg? At least none that I could see in the
> /etc/mime.types anyway. For example file --mime-types returns the correct
> thing anyway.
>
> My take is that the MIME definition is not exhaustive, so I don't see a
> conflict if it's "missing types". And my perception is that MIME types
> get registered after demonstrated usage?
>
> Julian asked if file did application/pgp-keys for .pgp keys, and this
> was my reply:
>
> $ file --mime-type /usr/share/keyrings/debian-archive-trixie-automatic.pgp
> /usr/share/keyrings/debian-archive-trixie-automatic.pgp: application/pgp-keys
>
> It just checks the contents the same with a .gpg one for example:
>
> $ file --mime-type /usr/share/keyrings/debian-maintainers.gpg
> /usr/share/keyrings/debian-maintainers.gpg: application/pgp-keys
>
> So I don't see much of a problem here, and I think it would be best if we
> could move away from this naming pattern, as that entrenches GnuPG usage
> as a synonym for OpenPGP which seems rather unfortunate.
>
> And for example for the apt modernize stuff I think it would be great if
> it could check whether the current pathname referred is a symlink and
> then use that (or perhaps if the symlink target is named .pgp if you want
> to be more specific).
>
> Julian then replied that the code could be made to just look for a
> .pgp first.
Now the uapi group standardized .openpgp as the file extension
for keys in the
File Hierarchy for the Verification of OS Artifacts (VOA)
specification, but also specifies they must be ASCII armored,
that is, they match our .asc extension.
So this of course begs the question of whether to support .openpgp
as an extension, but also maybe we should prefer .asc - despite .asc
having higher overhead - since it's a nicer file format to work
with in practical applications.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: