don't use apt-key to import APT GPG key #99
Labels
No Label
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: evolix/ansible-roles#99
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
We decide to stop using apt-key to import APT GPG key because it's dirty, not idempotent and difficult to revert.
We can just download the GPG key in /etc/apt/trusted.gpg.d/
See https://wiki.evolix.org/HowtoDebian/Packages#ajout-de-d%C3%A9p%C3%B4t for details
We need to apply this strategy in Buster.
It seems that this is not the Debian recommended way to add third party repositories.
Instead we should add the key (in a dearmored format) in
/usr/share/keyrings/
and mention the signature in the source list like this :deb [signed-by=/usr/share/keyrings/key.gpg] http://pub.evolix.net/ main
In the Debian 11 upgrade documentation, I read that keys should be added to
/etc/apt/trusted.gpg.d/
, so there is a contradiction.I also read the we can use
.gpg
extension for binary files and a.asc
for ascii armored files.wiki.d.o is not an official source. And it's more logical to have it in /etc/apt/trusted.gpg.d/ instead of our read-only-no-gitted /usr directory.
.gpg vs .asc stuff is in our doc : https://wiki.evolix.org/HowtoDebian/Packages#apt-key
fixed!
pattern :
Better pattern :