WIP: Use proper keyrings directory #163

Draft
jlecour wants to merge 0 commits from debian12-keyring into unstable
Owner

We've decided that all gpg/asc files for APT go to /etc/apt/trusted.gpg.d, but with APT 2.4 (Debian 12), the proper directory becomes /etc/apt/keyrings

I've added a automatic variables in roles that use this.

I've also added a signed-by option in source.list files for thid-party sources.

From https://manpages.debian.org/testing/apt/apt-key.8.en.html :

Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages.

We've decided that all gpg/asc files for APT go to `/etc/apt/trusted.gpg.d`, but with APT 2.4 (Debian 12), the proper directory becomes `/etc/apt/keyrings` I've added a automatic variables in roles that use this. I've also added a `signed-by` option in source.list files for thid-party sources. From https://manpages.debian.org/testing/apt/apt-key.8.en.html : > *Recommended*: Instead of placing keys into the `/etc/apt/trusted.gpg.d` directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See [sources.list(5)](https://manpages.debian.org/testing/apt/sources.list.5.en.html) for details. Since APT 2.4, `/etc/apt/keyrings` is provided as the recommended location for keys not managed by packages.
jlecour added 2 commits 3 months ago
f531460f49
Use proper keyrings directory for APT version
gitea/ansible-roles/pipeline/head This commit looks good Details
28540247f0
Add signed-by option for additional APT sources
dprevot reviewed 3 months ago
- name: Elastic sources list is available
apt_repository:
repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
repo: "deb [signed-by={{ apt_keyring_dir }}/.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
Owner

s/.asc/elastic&/

s/\.asc/elastic&/
jlecour marked this conversation as resolved
jlecour added 1 commit 3 months ago
Poster
Owner

In fact, moving to a deb822 format might make this even easier.
It is supported since since apt version 1.1 so it is available (at least) since Debian 8 (jessie).

I've noticed that we almost never update source files outside of Ansible (with the apt_repository module), so we could decide to change all custom source files to this new format, without breaking anything.

In fact, moving to a [deb822](https://manpages.debian.org/bullseye/apt/sources.list.5.en.html#DEB822-STYLE_FORMAT) format might make this even easier. It is supported since since **apt version 1.1** so it is available (at least) since Debian 8 (jessie). I've noticed that we almost never update source files outside of Ansible (with the `apt_repository` module), so we could decide to change all custom source files to this new format, without breaking anything.
jlecour added 1 commit 3 months ago
This pull request is marked as a work in progress.
Sign in to join this conversation.
No reviewers
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: evolix/ansible-roles#163
Loading…
There is no content yet.