On Thu, Jul 01, 2021 at 02:18:17PM +0200, Andreas Tille wrote: > Hi Julian, > > On Thu, Jul 01, 2021 at 02:02:43PM +0200, Julian Andres Klode wrote: > > Control: severity -1 minor > > > > On Thu, Jul 01, 2021 at 01:51:22PM +0200, Andreas Tille wrote: > > > I have some packages for my own use (I mean there is no reason to expect > > > that someone wants to pull things from there) on my private web page > > > which I signed with my Debian key. This was working up to recently with > > > apt-key. Since this was not working any more I tried to follow the > > > advise given in the error message and started reading apt-secure(8) > > > where I just found a hint to apt-key which is deprecated. > > > > There have been no changes on our side. > > That's strange. > > > > IMHO users who are using third party repositories will get a broken > > > system after upgrading to Debian 11 and there is no helpful hint given > > > how to fix it. > > > > > > BTW, I did some > > > > > > apt-key del 578A0494D1C646D1 > > > > OK > > > > > > > > added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg > > > > So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg > > instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg? > > > > Did you read the apt-key(8) manual page? > > > > apt-key supports only the binary OpenPGP format (also known as > > "GPG key public ring") in files with the "gpg" extension, not the > > keybox database format introduced in newer gpg(1) versions > > as default for keyring files. Binary keyring files > > intended to be used with any apt version should therefore > > always be created with gpg --export. > > > > This problem happened to a lot of people, ever since gpg 2 became > > the default which switched --keyring to generate not keyrings, but > > keybox databases. > > I admit the problem that it did not worked yet was just on my end - I > simply copied over the wrong key. Sorry for that part of the noise. > > > > and added an according > > > > > > [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg] > > > > > > option to the sources.list line ... and it does not yet work. So I > > > think it is critical to point to a solution that *really* works. > > > > Well, it should if you have a proper GPG keyring file, and not a > > keybox file. > > ... the format was OK, just an old key. (Hiding behind some stone.) > > > > Due to potential breaking user systems I wonder if someone agrees > > > with bumping the severity of the bug to serious. > > > > I disagree, and think this bug is a minor documentation issue, > > your issue here is likely outside the computer. > > I stick to the opinion that apt-secure pointing to apt-key which > is deprecated is simply the wrong thing.
Yes, the manpages need some reshuffling. But we're about to enter hard freeze, and I don't want to end up breaking the translations at this point and do a big reshuffling and rewrite of the docs. > I would love to see some kind of example like > > [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg] You don't _need_ signed-by if you place files in trusted.gpg.d, everything in trusted.gpg.d is trusted by any source lacking a signed-by. > > directly and I think this should become part of Debian 11 release. But > I will not play severity ping-pong - just stating my very personal > opinion about some direct help in our docs. IMHO this is specifically > important since *lots* of links that can be found by your favourite > search engine are advertising the use of apt-key. I don't want to advertise signed-by=. We should aim to get deb822 format supported in python-apt next cycle, and then advertise a consistent use of deb822 .sources files. Including, but not limited to, having d-i create sources.list.d/<vendor>.sources instead of sources.list. It just looks bad in the legacy file format. I'm still concerned having signed-by leads people to adding sources they trust less, only to then be rootkitted by evil maintainer scripts of packages in that repo. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
