Replace deprecated apt-key
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do and why?
Replace deprecated apt-key
apt-key is deprecated by Debian and should no longer be recommended.
See https://manpages.debian.org/unstable/apt/apt-key.8.en.html:
apt-key(8) will last be available in Debian 12 and Ubuntu 24.04.
Instead of downloading and adding PGP keys via apt-key add, there are
two solutions:
-
Preferred: download the key into /etc/apt/keyrings/ or if it is part of a package, put it into /usr/share/keyrings/. ASCII-armored files should use the file extension
.ascwhile un-armored (binary) files should use the file extension.gpgAfterwards usedeb [ signed-by=…/keyring/… ] https://…in anysources.listfile to specifically use that keyring only for that source entry. -
Alternatively put the key in /etc/apt/trusted.gpg.d/ using the same extension as noted above. This allows the key to be used to sign any source. As such it is less secure and not recommended by Debian.
Remove the unneeded gpg --dearmor and store and use the ASCII-armored
PGP key: This is supported since APT 1.4 from 2017 and got first
released for Debian-8-Jessie in 2018, which is now EOL, even for ELTS.
While at it consistently use sudo curl --fail --silent --show-error --output:
-
--fail-with-bodystored the HTML error document as the key; afterwards APT becomes very unhappy. -
curl | teehides any error fromcurl, in which case an empty file is created bytee. - Add
--show-errorto see whencurl --silentfails to spot errors.
Security consideration: Some people consider sudo curl unsafe. An
alternative would be to use something like this everywhere:
(
tmp=$(mktemp)
trap 'rm -f "$tmp"' EXIT
curl --output "$tmp" &&
sudo install -m 644 "$tmp" /etc/apt/…
)Closes: #212967 (closed) Signed-off-by: Philipp Hahn p.hahn@avm.de
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.