don't use apt-key to import APT GPG key #99

Closed
opened 2019-12-28 14:49:53 +01:00 by gcolpart · 5 comments
Owner

We decide to stop using apt-key to import APT GPG key because it's dirty, not idempotent and difficult to revert.

We can just download the GPG key in /etc/apt/trusted.gpg.d/

See https://wiki.evolix.org/HowtoDebian/Packages#ajout-de-d%C3%A9p%C3%B4t for details

We need to apply this strategy in Buster.

We decide to stop using apt-key to import APT GPG key because it's dirty, not idempotent and difficult to revert. We can just download the GPG key in /etc/apt/trusted.gpg.d/ See https://wiki.evolix.org/HowtoDebian/Packages#ajout-de-d%C3%A9p%C3%B4t for details We need to apply this strategy in Buster.
Owner

It seems that this is not the Debian recommended way to add third party repositories.

Instead we should add the key (in a dearmored format) in /usr/share/keyrings/ and mention the signature in the source list like this : deb [signed-by=/usr/share/keyrings/key.gpg] http://pub.evolix.net/ main

It seems that this is not the [Debian recommended way](https://wiki.debian.org/DebianRepository/UseThirdParty) to add third party repositories. Instead we should add the key (in a dearmored format) in `/usr/share/keyrings/` and mention the signature in the source list like this : `deb [signed-by=/usr/share/keyrings/key.gpg] http://pub.evolix.net/ main`
Owner

In the Debian 11 upgrade documentation, I read that keys should be added to /etc/apt/trusted.gpg.d/, so there is a contradiction.

I also read the we can use .gpg extension for binary files and a .asc for ascii armored files.

In the [Debian 11 upgrade documentation](https://www.debian.org/releases/testing/amd64/release-notes/ch-information.html#deprecated-components), I read that keys should be added to `/etc/apt/trusted.gpg.d/`, so there is a contradiction. I also read the we can use `.gpg` extension for binary files and a `.asc` for ascii armored files.
Author
Owner

wiki.d.o is not an official source. And it's more logical to have it in /etc/apt/trusted.gpg.d/ instead of our read-only-no-gitted /usr directory.

.gpg vs .asc stuff is in our doc : https://wiki.evolix.org/HowtoDebian/Packages#apt-key

wiki.d.o is not an official source. And it's more logical to have it in /etc/apt/trusted.gpg.d/ instead of our read-only-no-gitted /usr directory. .gpg vs .asc stuff is in our doc : https://wiki.evolix.org/HowtoDebian/Packages#apt-key
Owner

fixed!

pattern :

- name: Look for /etc/apt/trusted.gpg
  stat:
    path: /etc/apt/trusted.gpg
    register: apt_trusted_gpg

- name: Elastic GPG embedded key is absent
  apt_key:
    id: "D88E42B4"
    state: absent
  when: apt_trusted_gpg.stat.exists

- name: Elastic GPG key is installed
  copy:
    src: elastic.asc
    dest: /etc/apt/trusted.gpg.d/elastic.asc
    force: yes
    mode: "0644"
fixed! pattern : ``` - name: Look for /etc/apt/trusted.gpg stat: path: /etc/apt/trusted.gpg register: apt_trusted_gpg - name: Elastic GPG embedded key is absent apt_key: id: "D88E42B4" state: absent when: apt_trusted_gpg.stat.exists - name: Elastic GPG key is installed copy: src: elastic.asc dest: /etc/apt/trusted.gpg.d/elastic.asc force: yes mode: "0644" ```
Owner

Better pattern :

- name: Elastic GPG embedded key is absent
  apt_key:
    id: "D88E42B4"
    keyring: /etc/apt/trusted.gpg
    state: absent

- name: Elastic GPG key is installed
  copy:
    src: elastic.asc
    dest: /etc/apt/trusted.gpg.d/elastic.asc
    force: yes
    mode: "0644"
Better pattern : ``` - name: Elastic GPG embedded key is absent apt_key: id: "D88E42B4" keyring: /etc/apt/trusted.gpg state: absent - name: Elastic GPG key is installed copy: src: elastic.asc dest: /etc/apt/trusted.gpg.d/elastic.asc force: yes mode: "0644" ```
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: evolix/ansible-roles#99
No description provided.