Debian has alredy bricked so many of my servers by requiring in aptitude dist-upgrade GPG auths that had not even been installed a decade ago making me wonder now how much of this could be mitigated or prevented by some simple dpkg --install or gpg --recv-keys b4hand? [And does FreeBSD still do text/plain trusting a11y here?]
Op vr 26 dec 2025 om 10:59 schreef didier gaumet <[email protected]>: > Le 26/12/2025 à 10:31, Nicolas Kovacs a écrit : > [...] > > What's the orthodox way of adding a project's GPG key to Debian ? > > Unfortunately, the documentation I found online seems to be either > > contradictory, obsolete or downright wrong. > [...] > Hello Nicolas, > > I have never done this but I suppose you use the signed-by option in the > sources.list (old format) ou debian.sources (new format) file. > Like this (excerpt form the sources.list manpage): > [...] > As an example, the sources for your distribution could look like > this in the deprecated one-line-style format: > > deb > [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] > http://deb.debian.org/debian trixie main contrib non-free > non-free-firmware > deb > [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] > http://deb.debian.org/debian trixie-updates main contrib non-free > non-free-firmware > deb > [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] > http://deb.debian.org/debian-security trixie-security main contrib > non-free non-free-firmware > > or like this in deb822 style format: > > Types: deb > URIs: http://deb.debian.org/debian > Suites: trixie trixie-updates > Components: main contrib non-free non-free-firmware > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg > > Types: deb > URIs: http://deb.debian.org/debian-security > Suites: trixie-security > Components: main contrib non-free non-free-firmware > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg > [...] > >
