Closed elboulangero closed 3 years ago
allinurl
commented
3 years ago Thanks for sharing this. Question for you, would existing users need to make an update on their end? i.e., download again the new key? I ask because there are a lot of machines pulling from the repo right now so I'm trying to minimize the need of each one of those servers needing to download a new key.
elboulangero
commented
3 years ago There's no need for users to update anything. The secret key that you use to sign the repo doesn't change. The only thing that would change is the format used for the public key.
This being said, I took more time to look at how other projects handled this transition, more specifically:
These projects didn't change their public key, but they just updated their procedure so that users do gpg --dearmor on their side. That's another approach if you're not comfortable touching the GPG public key on the server. It requires user to have the gpg command installed, but I'd expect gpg to be installed on pretty much every machine, I don't think it's an issue.
If you go for this approach, you have nothing to change on the server, all you need to do is to update the procedure for goaccess users:
$ wget -O - https://deb.goaccess.io/gnugpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/goaccess.gpg >/dev/null
$ echo "deb [signed-by=/usr/share/keyrings/goaccess.gpg] https://deb.goaccess.io/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/goaccess.list
$ sudo apt-get update
$ sudo apt-get install goaccessThere's (yet) another approach. It turns out that users can also use the public key that you provide "as is". This format is known as PGP public key block Public-Key (old) according to the file command, but also referred as "ascii-armored". It can be used by apt if you have apt version >= 1.4 available (Debian >=stretch/9 and Ubuntu >=bionic/18.04).
If you think goaccess users meet this requirement, then the procedure can be:
$ wget -O - https://deb.goaccess.io/gnugpg.key | sudo tee /usr/share/keyrings/goaccess.asc
$ echo "deb [signed-by=/usr/share/keyrings/goaccess.asc] https://deb.goaccess.io/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/goaccess.list
$ sudo apt-get update
$ sudo apt-get install goaccessNote the important details in the command above:
gpg installed on their system.asc extension, otherwise apt will be unhappy about itOnce again, with this scenario you don't need to modify the key server-side.
So that's it. I think the 2 approaches above are better than my initial proposal, as you don't need to modify the public key on the server. Less work, less headaches :)
Waiting for your feedback!
allinurl
commented
3 years ago Thanks Arnaud for sharing these steps. Like you said, sounds like step 1 is the way to go. I see the other repos using this approach so I went ahead and updated the instructions on the website. Would you be able to submit a PR to update the README.md? Thanks again!
elboulangero
commented
3 years ago Just did that. Thanks!
Hello,
I couldn't find a git repo for the website goaccess.io, so I file this issue here.
apt-key is deprecated, and it's not considered good practice to add a key to
/etc/apt/trusted.gpg.d/.So the procedure at https://goaccess.io/download#official-repo should be updated and read like that:
However at the moment it won't work, because the GPG key that is available on goaccess.io is not in the right format, and apt can't use it as is:
Here's a procedure to update it (see references below for more details and other commands that also work):
So in short, I suggest to:
Some references:
Cheers!