On 2021-07-01 14:02:34 -0400 (-0400), Kyle Edwards wrote: [...] > In response, we updated our keyring package to remove the > /etc/apt/trusted.gpg.d files that had been added, and > automatically replace them with [signed-by=] attributes in the > sources.list (with permission from the user.) It sounds like this > move was not necessary. Nevertheless, is it considered "wrong" to > do it this way? Should I have left it alone?
Personal/professional opinion, it's not wrong. If anything it's more explicit about the intent, at least. It's just not particularly a security improvement, and unfortunately most of the information scattered about the Internet recommending use of signed-by leans heavily on perceived security risks which it really does nothing to mitigate. Also, as other's have stated, deb822 might be a cleaner way to express this. On top of that, you can embed Signed-By fields with your key fingerprint in your repository's Release files, in order to highlight if someone gets an updated index which is signed by a different key than you previously indicated it should be. I think anything as recent as Stretch should support all of this. -- Jeremy Stanley
signature.asc
Description: PGP signature
