yegorich
commented
1 year ago Debian's package installs in both folders since Buster: https://packages.debian.org/en/buster/debian-archive-keyring
Closed yegorich closed 1 year ago
yegorich
commented
1 year ago Debian's package installs in both folders since Buster: https://packages.debian.org/en/buster/debian-archive-keyring
bgermann
commented
1 year ago That is true. But the semantics of those locations is not the same. The trusted.gpg.d is explicitly meant for gpg keys that you trust with signing repos that your system is allowed to install software from. In /usr/share/keyrings/ there can be any sort of keyrings, so this is not going to happen. You can amend the warning how to install keys if you like.
bgermann
commented
1 year ago What you may also do is adding a way for users to add arbitrary directories as trusted for initvm creation.
yegorich
commented
1 year ago It's a good idea. I'll look into it.
In both Debian and Ubuntu, Debian archive keys are provided by the
debian-archive-keyringpackage. The difference is, Debian's variant installs the keys in both/usr/share/keyrings/and/etc/apt/trusted.gpg.d. But the Ubuntu one installs the keys only to/usr/share/keyrings/.The background is, the keys in
/etc/apt/trusted.gpg.dare trusted unconditionally by apt. As a result, any package coming from both an official and unofficial distro repository will be trusted by apt as long as it is signed by one of the keys in/etc/apt/trusted.gpg.d. For more information, please, see this answer: https://askubuntu.com/a/1307181/199784.This background explains why Ubuntu's package doesn't install Debian archive keys into
/etc/apt/trusted.gpg.dfolder.Hence, as both packages install the keys into
/usr/share/keyrings/, use this location for both Linux distributions. This approach won't compromise the security in Ubuntu as the user doesn't have to copy the keys from/usr/share/keyrings/to/etc/apt/trusted.gpg.d.