> Von: Daniel Kahn Gillmor [mailto:d...@fifthhorseman.net] > > On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote: > > As gnupg starts getting more and more problematic regarding some > > functions (see the discussions on command line/unattended use), Ubuntu > > Bionic AND Debian Buster dropped it from their debootstrap > > I don't know about Ubuntu Bionic, but for Debian Buster this is simply > false. > > Buster relies on gpgv (which is part of the GnuPG suite) for validating > archive signatures.
That seems just a misunderstanding, as my initial message mentioning the changes was imprecise from my side, the follow-up https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060422.html should have made it clear, that we are both talking about the same thing. """Yes, but all those features do not apply to apt-key or are of little relevance. Hence gpg seems to have been included just for minimal use (just adding/removing keys, everything is trusted as performed by root user anyway). I do not know the reasons behind them dropping gpg, but I guess the just needed a failesafe, minimalistic tool for that purpose and now they dropped gpg and run only with gpgv to my knowledge.""" > > and replaced the apt-key management parts with own solutions. > > apt-key has been deprecated for a while now. I don't think i've seen a > secure use of apt-key that i can really encourage anywhere. > > If you want to do sane cryptographic controls on repositories, you > should (a) place the key for a given repo somewhere sensible in the > filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add > a Signed-By: line to your .sources file (or a signed-by option to the > line in your .list file). > > See sources.list(5) and > https://wiki.debian.org/DebianRepository/UseThirdParty for more details. > > See also https://bugs.debian.org/877012 for suggestions about > improvements to scoped cryptographic authorities for the default > installation of debian repositories. Thanks for the information. I thought, that the new model would be using "/etc/apt/trusted.gpg.d", as recommended by an online version of "apt-key". But of course the per-repository pinning of keys could make key management easier as there is a n:1 link between repositories and keys, thus it is easier to avoid stale keys in the common key storage file. > ... _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
