Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic:  trusted.gpg warning  (Read 6095 times)

Offline towo

  • Administrator
  • User
  • *****
  • Posts: 2.920
Re: trusted.gpg warning
« Reply #15 on: 2022/04/01, 08:10:11 »
Put the keys you trust to /etc/apt/trusted.gpg.d/ then you don't need the [ signed-by ] entrys.
Ich gehe nicht zum Karneval, ich verleihe nur manchmal mein Gesicht.

Offline devil

  • Administrator
  • User
  • *****
  • Posts: 4.838
Re: trusted.gpg warning
« Reply #16 on: 2022/04/01, 09:54:19 »
That is the behavior that will be deprecated with Debian 12.

Offline towo

  • Administrator
  • User
  • *****
  • Posts: 2.920
Re: trusted.gpg warning
« Reply #17 on: 2022/04/01, 10:05:08 »
/etc/apt/trusted.gpg != /etc/apt/trusted.gpg.d/

>From the manual:

Quote
DEPRECATION
       Except for using apt-key del in maintainer scripts, the use of apt-key is deprecated. This section shows how to replace existing use of apt-key.

       If your existing use of apt-key add looks like this:

       wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -

       Then you can directly replace this with (though note the recommendation below):

       wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc

       Make sure to use the "asc" extension for ASCII armored keys and the "gpg" extension for the binary OpenPGP format (also known as "GPG key public ring"). The binary OpenPGP format works for all apt versions, while the ASCII armored format works for apt
       version >= 1.4.

       Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details.
       Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages. When using a deb822-style sources.list, and with apt version >= 2.4, the Signed-By option can also be used to include the full ASCII armored keyring
       directly in the sources.list without an additional file.

And for  the record, vendor keys like debian, ubuntu and so on will default placed in /etc/apt/trusted.gpg.d/
Ich gehe nicht zum Karneval, ich verleihe nur manchmal mein Gesicht.

Offline devil

  • Administrator
  • User
  • *****
  • Posts: 4.838
Re: trusted.gpg warning
« Reply #18 on: 2022/04/01, 12:32:39 »
Debian has offered different solutions to the long coming apt-key deprecation and there is still no real consensus. And the argument against /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d is:
Quote
The reason for this change is that when adding an OpenPGP key that's used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don't have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons

This is also reflected in the Debian Wiki
https://wiki.debian.org/DebianRepository/UseThirdParty

Offline Mte90

  • User
  • Posts: 216
  • KDE & Debian lover
    • http://www.mte90.net
Re: trusted.gpg warning
« Reply #19 on: 2022/04/21, 12:21:24 »
I saw now the thread.
To fix the issue I downloaded again all the keys and imported in the new way to avoid any troubles.