Starting with APT 2.4, it will be possible to specify signing keys in. However the map described above also works to find keys which are no longer used in your setup. You shouldn’t care about individual files under /usr/share/keyrings, but rather about packages providing files there (and of course, files which aren’t provided by a package). Repository indexes are often signed by two keys to allow for some overlap. automatic keys are used as described in their announcement emails, e.g.“Debian Stable Release Key (10/buster)”) are used with the corresponding stable repositories This isn’t ideal for more authoritative usage information, you can apply the following rules: To determine that, look at the individual keyrings in /usr/share/keyrings, with a command such as for file in /usr/share/keyrings/*.gpg do echo $file gpg -list-keys -no-default-keyring -with-subkey-fingerprint -keyring $file done.
GPG SUITE UPGRADE ARCHIVE
These are respectively “Debian Security Archive Automatic Signing Key (9/stretch)” and “Debian Security Archive Automatic Signing Key (10/buster)”. Gpgv: Can't check signature: No public key Eventually they should be extended to Debian’s own repositories, see this issue for example.Īssuming you trust your current setup, you can map signed archive release files to keys by listing the keys used to sign them for example: $ gpgv /var/lib/apt/lists/_dists_buster_updates_InRelease I know of apt-key list but the information are pretty much the same, how does "Debian Security Archive Automatic Signing Key" is supposed to tell us that it signs buster-updates AND buster-backports? Is it normal that one key can sign multiple suites? I would have expected one key per suite.Īlso, the opposite: how do I know what a key signs? How do I know I don't have useless keys in /usr/share/keyrings or that they are signing malicious repositories?įor context, current best practices for third-party repositories are documented in the Debian wiki page on third-party repository usage and in this “How to properly use 3rd party Debian repository signing keys with apt” blog post.
GPG SUITE UPGRADE INSTALL
This doesn't throw me any error when doing apt update and I can install software but I would like to know a method to know for sure which key I should append to the signed-by option for each repo without having to do guesswork, and be left with doubts. Signed-By: /usr/share/keyrings/debian-archive-buster-automatic.gpg Signed-By: /usr/share/keyrings/debian-archive-buster-security-automatic.gpg
Signed-By: /usr/share/keyrings/debian-archive-buster-stable.gpg My /etc/apt//debian.sources looking like this: However, when adding the signed-by option, I found myself unable to know which key to link to which repo, seeing that the key's names don't match the repos:ĭebian-archive-bullseye-security-automatic.gpgĭebian-archive-buster-security-automatic.gpgĭebian-archive-stretch-security-automatic.gpg I don't know if this only apply to third-party repositories but better be safe than sorry. I want to use the signed-by option on all the repositories of my /etc/apt//debian.sources, point to the keys in /usr/share/keyrings instead of /etc/apt/ before disabling this directory, as I have understood, this old way of doing is insecure.
0 kommentar(er)
