Azure / azure-cli

Azure Command-Line Interface
MIT License
4.02k stars 2.99k forks source link

Update deb_install.sh to use /etc/apt/keyrings #25149

Open richeney opened 1 year ago

richeney commented 1 year ago

Issue

The apt-key command is deprecated with Ubuntu 22.04 (except for deletes).

The /usr/share/keyrings directory is the recommended location for package signing keys now, rather than /etc/apt/keyrings.

The deb_install.sh script used by option 1 would benefit from changing to these newer standards. The manual commands are slightly better as they include the signed-by location, but again, should that location now be /usr/share/keyring?

richeney commented 1 year ago

Happy to contribute an update to the script and the docs page, but I won't be able to test against all supported variants of Ubuntu and Debian.

I thought it would be better to float the idea as a general enhancement as this script is fairly crucial!

yonzhan commented 1 year ago

@jiasli for awareness

bebound commented 1 year ago

PR is welcomed.

I agree that deb_install.sh should be in sync with manual steps.

However, /etc/apt/keyrings is correct.

If future updates to the certificate will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead. -- https://wiki.debian.org/DebianRepository/UseThirdParty

richeney commented 1 year ago

Understood. I'm not sure I really understand the difference between an apt/dpkg package and a locally managed package.

(I was updating a few Ansible playbooks for my WSL setup as 22.04 was complaining about the legacy trusted.gpg keyring, and I noticed that Terraform and the gcloud CLI were now using /usr/share/keyrings.)

I'll raise a PR for that script to get it inline with the manual instructions. 😊

richeney commented 1 year ago

@bebound, one other check; should the .gpg file be called /usr/share/keyrings/microsoft-archive-keyring.gpg rather than /usr/share/keyrings/microsoft.gpg?

(The https://wiki.debian.org/DebianRepository/UseThirdParty page uses that convention in the first paragraph.)

bebound commented 1 year ago

This's a good point. I'm not sure. CLI always name it as microsoft.gpg, I think it's okay to keep it. @jiasli What's your idea?

PS: VS code uses packages.microsoft.gpg. Docker uses docker.gpg. Ref: