On 21.06.21 07:58, Andrei POPESCU wrote:
On Du, 20 iun 21, 10:20:42, Andrei POPESCU wrote:
Package: release-notes
X-Debbugs-Cc: debian-user@lists.debian.org, a...@packages.debian.org
On Sb, 19 iun 21, 22:07:35, Marco Möller wrote:
Command apt-key and its man page say that apt-key is deprecated, but do not
suggest an instead recommended tool. It is only mentioned that keys would
now be organized in /etc/apt/trusted.gpg.d/ . But how should I manage the
keys saved there, for instance how to update them, or what tool of the
Debian distribution is managing them there for the apt functionality of the
Debian OS?
As far as I understand it's as simple as dropping the keys in there.
When a key changes/expires/etc. replace it with the new one (if provided
by the respective repository).
Guiding me to a properly up-to-date documentation about this topic would be
welcome!
Indeed the documentation on this is a bit scarce, probably worth a
mention in the Release Notes.
Which already exists, under "Deprecated components for bullseye".
Kind regards,
Andrei
Andrei, thanks for having picked up my problem and having cared for the
release notes to comment on it, and also for supposedly having motivated
Julian Andres Klose to publish a very helpful blog post on the related
subject. Brad Rogers here in the thread linked to it in his answer to
me, thanks also for this.
Darac Marjal in his answer made me understood, that my problem was NOT
about knowing how to copy a key file to a directory, but about being
convinced that it is allowed to simply copy files to the
/etc/apt/trusted.gpg.d/ sub-directory without having to manage this by a
special tool like gpg. For convincing me, maybe the man page of apt-key
was simply missing a word like "manually" for expressing to "manually
place files in this sub-director". As a beginner being confronted with
security relevant procedures, specially when it is about things like PGP
keys based on a Web Of Trust concept, you easily suspect that a special
security tool would exist for ensuring that handling the important
package signature key infrastructure is done correctly. Obviously not.
Simply copying a key there appears is really enough to get access to a
repository.
I stumbled over this problem with apt-key because I am learning to make
use of openPGP right now, therefore studying GnuPG and its gpg tool, and
by this approaching how I maybe could also make use of the package
signatures to review if my OS installation was manipulated in an
unauthorized way after by me requested package installations, only to
find that the tool apt-key mentioned in this context by the "Securing
Debian Manual" is deprecated already.
Obviously, being new to this topic, I was then not properly separating
the concept of gpg being a tool to manage openPGP keys, but the keys not
necessarily having to be tightly bound to the keyrings which as a user I
can manage with the gpg command. Insights about my apt-key related
findings derived from the answer of Darac Marjal, from the blog post of
Julian Andres Klose, and from many(!) other texts about openPGP and
GnuPG which I studied in the last days, I have summarized by the
following words in my answer to Darac Marjal. Maybe these words can also
serve for the documentation of the deprecation of the apt-key command
and for the documentation of the usage of the /etc/apt/trusted.gpg.d/
sub-directory? Here my words, hoping they are describing the situation
correctly:
--> " The gpg keys in the /etc/apt/trusted.gpg.d/ sub-directory are
managed by apt after simply having placed manually the files there, each
file containing a binary formatted key. These keys are automatically
trusted by apt and hence the "trusted.gpg.d" label for that
sub-directory. Keys at this location are not related to the openPGP key
management which as a user is usually done with the explicit use of the
gpg command. Because of apt internally managing these keys and these
keys not intended to become manipulated manually with the gpg command by
the system administrating user, the gpg command --refresh-keys cannot be
used as a replacement for the deprecated "apt-key update" command. " <--
It then might be recommended to also add something like the following to it:
" Although not needed for technical functionality, it is highly
recommended to confirm that a key indeed belongs to the package provider
before adding the binary key containing file to this sub-directory.
Further reading on the best practice of how to confirm this is provided
in .... " here needs to come a good link suggestion, which I do not
have right now.
I could imagine, that the link could point to Chapter 7.5 "Package
signing in Debian" of the "Securing Debian Manual" (
https://www.debian.org/doc/user-manuals#securing ) - after this chapter
would have been updated to the current situation, apt-key is obviously
deprecated, and adding maybe there a small advise on how to check a key
file for its signatures acting as the Web Of Trust.
Best regards, Marco.
