Le 26/12/2025 à 10:31, Nicolas Kovacs a écrit :
[...]
What's the orthodox way of adding a project's GPG key to Debian ?
Unfortunately, the documentation I found online seems to be either
contradictory, obsolete or downright wrong.
[...]
Hello Nicolas,
I have never done this but I suppose you use the signed-by option in the
sources.list (old format) ou debian.sources (new format) file.
Like this (excerpt form the sources.list manpage):
[...]
As an example, the sources for your distribution could look like
this in the deprecated one-line-style format:
deb
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]
http://deb.debian.org/debian trixie main contrib non-free non-free-firmware
deb
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]
http://deb.debian.org/debian trixie-updates main contrib non-free
non-free-firmware
deb
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]
http://deb.debian.org/debian-security trixie-security main contrib
non-free non-free-firmware
or like this in deb822 style format:
Types: deb
URIs: http://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: http://deb.debian.org/debian-security
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
[...]
