This commit makes the Tor signing key be directly piped to apt-key
from curl, removing the intermediate steps of importing it to,
then exporting it from, the user GPG pubkey ring.
Even if the Tor official doc also does it in two passes[1], there is,
as far as I can tell, no real need for these middle steps.
On the contrary, gpg --import has the side-effect of also putting
the Tor key into the calling user keyring. But that’s just polluting
the keyring; it’s dubious anything but apt will need the Tor package
signing key!
(From what concerns us here, note that there is no problem piping from
a “non-sudo curl” to a “sudo [apt-key]”, because the sudo password must
have been already entered by the user in a previous command.)
This commit makes the Tor signing key be directly piped to
apt-key
fromcurl
, removing the intermediate steps of importing it to, then exporting it from, the user GPG pubkey ring.Even if the Tor official doc also does it in two passes[1], there is, as far as I can tell, no real need for these middle steps. On the contrary,
gpg --import
has the side-effect of also putting the Tor key into the calling user keyring. But that’s just polluting the keyring; it’s dubious anything butapt
will need the Tor package signing key!(From what concerns us here, note that there is no problem piping from a “non-sudo
curl
” to a “sudo [apt-key
]”, because the sudo password must have been already entered by the user in a previous command.)1: https://support.torproject.org/apt/