search

keybase / client

Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
BSD 3-Clause "New" or "Revised" License
8.92k stars 1.23k forks source link

packaging/linux/deb: apt-key is deprecated #24856

Open julian-klode opened 2 years ago

julian-klode commented 2 years ago

I recently added warnings for keys in trusted.gpg to APT, they'll ship in Debian 12 and Ubuntu 22.04:

W: http://prerelease.keybase.io/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

apt-key has been deprecated for a couple years now. Please consider installing a keyring file into /usr/share/keyrings instead (directly in the deb, not in postinst), and then create a sources.list.d/keybase.list referencing that with signed-by.

deb [signed-by=/usr/share/keyrings/keybase-keyring.gpg] http://prerelease.keybase.io/deb stable main

Alternatively, you can drop the key into trusted.gpg and not use signed-by, as chrome does at the moment: https://chromium.googlesource.com/chromium/src/+/117cfd4c6a3aa57c93590042b2347ade68f83808%5E%21/

This has the added complexity of needing to base64 encode the key in the postinst, is less safe, and awkward.

Support for apt-key will be removed from development releases starting next month.

rauldipeas commented 2 years ago

I'm using this temporary fix:

cat <<EOF |sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/keybase.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org

mQINBFKLi6cBEACcP/W6NBY1Dy+1Tm6LWOpPGbP1DsxP+ggIA0LmxaXWwL6g/2Kv
oS/JVmmY1uXIiiZoMqCTZq1RTlQP9wh/ky61XxZmElKxiWKvdgVql5XYYQxJUH+6
vJHPdcLOQeW6MTlP/cy6r6wFS4pOZ0I8gquufYcSp3IiCyDRfGndfZno3YABjC4Q
qtTwPKMh4o7G4ScV6SAKWG28mHF02BkXTBlZCWmhI9foQWu04I45m6Eg00zaS2dY
X8nwU5H6k1N/3RUMYCJVmDOMl+p5Aml6ZuXhnUv0ma04yqeE0LsbVhsPOcWnVd4F
/+x+RJlhqM7v6j+mi5bSYrJSxzaXwBjQdSu/yTKsao799EO9Kt4D6D96Mg8AeBp7
tsujOfQDCc4JKzq19V8CSbE1iwyuqVJOytp01guljwRedNbcAWcMkn/Mv4M4HMV8
pushRX7guAxZrjpCgaWabThRXuhUhrhMXZie+kDQegczbuUG1w2RO/HvJecUX5E2
/lmEj4NA/lc+Ejgr9NGczC5Osf7TyJhcuaC9QMm/Mlfseb2d9DRb4V6ZOC6akZOl
gRMLlFwWlfduGNGq8HWBETSJvMoh9Ef9nfEgdBi4Pu+WVAd3FDCbfhNj2SS79R9W
PHAgqHJD1/qv8NV1u8EmvuJP+/Nw50Dp5sBqoi5RTYJO+iLWaY4vDyMafQARAQAB
tC5LZXliYXNlLmlvIENvZGUgU2lnbmluZyAodjEpIDxjb2RlQGtleWJhc2UuaW8+
iQI+BBMBAgAoBQJSi4unAhsDBQkHhh+ABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBHSE5QZW0Wx+MnD/wI249WjV9x9hW2085KtRQK4U/79Y8BqDrw1JW9l0op
pPZ1n6ZRnpSel31IucC8NupFA5AyK4KuxMNej5KLF2kaqdgzlcuvSA6npQkyRnoh
E/PWCDEJg/GE8DiqzMQx7yD/7rQp8I0aI9iX0SJCPqohuyYNVFBEamcLn+tDbH4U
0jurPuuAKtRSGxjzhnEiPM1hTgbQv8A1FY3IPClAfXlOK1RWI8pXSWfJFx+hT0ZY
R+mSBIwLhfobvip6yLM6I47IMdLTzi0ORatgDIEk5VHuHscDvgukVelmAql3dq4O
hsnYsT2G04r6L8Ksa6DKY0Y8QpQGjWXFcWp628f/XhFl3vaGho1nRxMcafvgpiJA
BrdLmSl6WDEwXFYv7zozmU/6Ll/gLLEAcCSTX3+JLgqghUbR2CXTTAf2nD7oFOEp
7p1+sVyAPMhN76T+lrVVa9OZ7eYNwIUTp3VHGKlARI0kQvAs04H+PNOK/S2e81hn
TqMj1MpXvfJw6RtCl+An+lIrAOJiORxZv0tDgwm/u2DZGV4oLNBXGucnqjXMBj1f
Ncd7FDcEiQ6CXWvmJEGNFsaD0tKtESTR/dzkAzN643qzd0clUV+N1TUD2q+LHA+Q
Kk/enBlrPgW3VQEL/OMK0ugOMlmFBy4008fZG+kt84BLo/3Kpy3tMy7fLbFuvlWp
WIkCIgQTAQIADAUCUouLwwWDB4YfgAAKCRBjhHtLg5MPDMNZEACOSu3YQOkNIjmX
hMPFWtSUB++ktfhx7GSmeBzFx6BIJc1U+Kfpu4Cr7tpZTQk+k4lcmrCsZmkBElgD
w4vWQ4hOns+/L7ZKyj1/XyalAMZuLovzZL6E8MU7BycLfi2bvP/bNb0Jkm+e62T+
gzuPdSjHy2RUkr5Ofe2cvnzFc0cjzQPyOfoOkSB68OOM6DAAMbt7xZs7iex0iOxl
NSYxEOsw9+CBiHuLU08hnv4PlxfYiNouBbgeDEmB/ueMQpV8uKwN65rUYV0UHY0Q
hU1TEwgBdde/D1io2fLLhWhxxLK+k2D5Kpb6fHTbVAvREWyjg93JcRqiD0vZqyE+
4t6Y9Bjc1nKkqHAz70viuxusCBS3zOwHInatOav0vOlXO67JNcdGO+HHv3+4KUeQ
vqsgEfWMfvd48mjeZ7sU9Whlq0WJyeeUI2TRxReioBay5IcfysBh2s/G6rLKGuiJ
K7RjixwkrJPADbCoIhJCivqdTMAG1HgQN5an6XDfYemwECJCRK8QTI/UwNVdt7p8
4qcYDagrWiE7fB8MG98peXRVL94ROY3PCBbcWs5lFIINmaaHXOBGMb/RTh9EjxNB
WwyifIsUkYuUTUEnzH8Ctdb/dcq98y/47JfaLxbMepC2E0bMxFZTtnDbhXUbXzon
gY5f180kFDHOB+UJtKL7DUgFs5Vm3YkCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AFAloJySkFCRpKQHYACgkQR0hOUGVtFsf4Sg/8D0vSEGjYDfDk
skDfjUb3yaMLpvZn6cGlq2ODCXS+xOSHSaAarvfPZwwQwb7iH6C8ODFHiaOW5x1u
hMP21U/PStr8H4c+mAb1/g/ms7VEgCTM8hwItLVS0OolSTISKjXFFZms4vYVdFU0
IQHuCMApzKC0Fntx+MSvdeqPOY/EhfT4uqXOpBpIZsBBJcw9AyCcZItLXpRToMrG
+ZJzYlR4KbbFbN2oTK3LtGe3NXsvhianr069438e7GZyDh82lkqnEKkGvw0Ry0S2
dxVxezACEW7Iy07FXDKlxVwj+acYCwB6J20sXnb7sS6D6z0vFiMIuD2IlAMSANqs
9tBG6BOokGSlzypuWYVV6UJAeG1KOyV8RW7a1Pjv4kK54+hazaMW2zUI4TeA8l0h
umefStfb1eJIfNyQKWRklQjSWaF0FPU76i7Y7tlTfHkeuTBpcrLh98YmYEpzdBC9
wI4VT3Y126VAhNFoyVKNhV/BZzMIgf8+8GhlzhQpGKOpANiG74zjfM6X96lcxyqK
F1haEn8JHfc+FVjOdKXu5G0G80uE9eMkyrjYtfho1lxs/ldbPGIcI5LKVtp7WPOL
VQodxiIG2+F9LRqq9/6AH1p2BftOQCb+Ksw8jP8O/4vGxumYHXHaUujuksx73VYt
7cg69bG//11IJ/8eBSsFdeeVsQ3YNQSJAjMEEAECAB0FAloJylEDBQF4EoY8W14+
XStbQC5dbm9uZT4kAAAKCRBgUrKtMaZjHLi4D/4wKiOhXZvkCfhKJwRaIxkNmr28
DGql0A8zkJQYm8kPSHiR/TJgFGWGZYgeiqPZTOVUQlzl99D8ubxbraefMhlLIad0
p2/ry8r4zS05pRR5gP5XYFVtLCzD2EW79HzIFfHNGTPduepc4YlPOocNThICDGzI
y8WdrrBmGuSWybVdwmjUOS990M6Fw9YK4LkVdLH5fRYZOcGxdccDDDLo7/aBltLL
x8JJMSxnFOqhWeIA6RHHX6Ehj5Q+N0DjC99BnbTkG3IrfDNH51RtBnk23S2Pswuo
gjYfr47WIXO6CxhN3e+rAPN/tENgserzhsa44fYPQwwyfNOokkFtOgULljajmTHm
v34rtka0jeO4YncMw/s6Q/GwcJ0EoZDtyfRCEjAEg7zeldlh//Am6hgFPpZyY6/o
h1tE8MILjMaXoKnKMsPCwS87AeW6ZpBpzNGZDqAVRspBCbL8cpn3cTxtvKH5Jge+
dzPTrCFWPH0kdzBZt1wIWyDebyadj48pkpadjBoMYQl42OjLo1dBIFV26b8Eidnb
RU22OX/8SX7b0E/CjVdUWPXDgrQxBXxx7f/jneVa9TNoly0tSZsfU6ASlv9nfSOO
jaWeNstKOZ+K+EJ3Ok03X71IADUcuoyKVZbt7TzcDFzzxa4BnlFJPkvFxiFrBSHs
HyhIq8cZzlh+fVYsn4kCMwQTAQoAHRYhBJSqOlvb1A6lScq6+fvAfWqXAWyzBQJa
CcxBAAoJEPvAfWqXAWyz4dgP/RimD35vH1z5AjqZduk0ULxdUhhCEXiYLY+yGsw1
rbHuRAUFzk7gAtOHjHRJQ8b03T5CpG8mWb32WXB/a3lcBCRDN6h/5ydhT+gnnKxE
NUpMzjdhhYdcH/KDpafa3ufXO6OBo7LvzdtQF//1MVI3CtVjU5OgMp5UVbJAsNgW
xynactnfsbVFZ9yuGAmWv1euLF9nzAa45xIvUL9OdAhYBBQOXvboOratuxlgatMo
nXeM46c8oCb5b89zu5MXNpG0f+zm32imVcmHteEwzts2oGQCG9o9uNSxFqcxtsm7
F+h5aLa4TSqc5bfPSay18oaRpRXDMtNlw5NklkkQKZE56hhO5uYFzhC+9v+m7NPX
zfg7m7joLrPzXQPgpVQyH1EfEH1zF6j4Gf+5VKhqVxGvtep2XTCrzJvySsL9cB+Q
BcWG9rVXVXKqTWaC4Mi+9jlzB+BtzZXtYztyTYmbSXYdWEBnqtuCCSvrrpX6ULMv
4YvfODaB9tQ2c4rdk1p+hfQ/w9wKq6ZjZjq25gKBecwmVCnL4GdSKXanwRI5YYeq
t3HeaVlyVU2Tzgi5GjF7qbFlggxArtX+Smd/hJLOmQFSFE70ik21qtp05msKQGRL
mSnQ96RoFSLxH9JPsrMaRarKvQqC0fBR2ZcPMJGj+U0hJzeL4/bbV+KrCbqTjMFV
oGVUuQINBFKLi6cBEAC6luq7vuLx6a4HnNXbScdWuNP5tzVyneKrAhqQr9AEw02P
N59sdSkNDoume7X9vKSk7lReZ32IFov2fMwXJlHpsz9zuaOSdoPSxXrRow5QA7AT
ezJe1D4aj8nt25ptZNds3xUqIQBL65gHUMkO/AmMI2Pu+KO78q94EssdmJR1CVBf
NF2ee6g8jYBmsqJCNpQzmQuJhPLEqIFW3Hchf2SGX3ODaxS2FaR78OIf1bqXWcpg
WTG/GF4lMmgYsWqcFSs+Kcr/dOwf+wp1Hz4x+BQKQQ39IJFyy9zNqcyiAY7o7T0Z
vcXeawsFfbQWzpgxI9eVlIjyh0sAlVmcHFSN/CCmXHmlqqSD7Vi/aiTT3owfMfsD
N4J5m/o3J/rQGKOuF4ws4y1peJqWi32mmAig0xBzKt61d6lI8yB8GdyrejoDYVIe
iJUkr3gIRsIBEy8usCIl8G3ZKSsXwv4dpI4vwRu3vLDzkQpmM+FuEADYzK/gWUEM
kA9kCJSNKimQr4uFJoWiZCmMsc/lkDYa8ogmfW6SCpI2vN1RzBHlKPFeKNvx5xFF
bzPZYIdPg/5bZ6dYEqmV5oOVs5/q+/7OQsMP385Qwow77/IF0phtbo30h7Ei9tfL
6ZG/1Z9Kr3AbQ3p+tiDTRunUfQXQPmSQBH8AwpM3IJJEU6oCxGHCWyADL5bSqwAR
AQABiQIlBBgBAgAPBQJSi4unAhsMBQkHhh+AAAoJEEdITlBlbRbHGVgP/1wIZI0p
Hm3AO8XxsjhPMY9oeUDoiBjfJAaduvEVedjxdMxldSBHuFW7F6hOx3kteblaKWHJ
0ghFW1KKNGStQLo864Vseo6h0uiGkwLK6YWL8dVVtbQwTDCsWjJGb5pfKZmJ3SeQ
cdsI7uP2kDkKgap/E2zeG6EhgXqfYaz5UZNOdRyun9WSbC4l7CIcVzozXVYpAGCa
Q0RgLRcOM7to+wK17GJivKOivJ/sIUcKdzt1hpQvAH1mnw6dmIFK1JcmHdxYcCWO
IreXQpAlxBv0Z/GixjnE7VSRlICC/BRtpTmpHGf3kw56b2GcOQMabo9sxkBKLmxx
0TZSSm4WE0QUciA6bUs/mAqB0UcV5dhJ3k4OcCMqe/RtwRbsTjv7vJJf+yc+Es6l
s5bor5f8lYw5VWKf7l+TijMm9bLLNDOvuh6OYdxKgexUx/lJQLMjcY8E++5kq4Bj
CJFE4UvqM3CpT7nEDJGaIevs9HOz5EMh4ZYJIWpKXO9KT5ZYJoZoP/+6EVBE6Vf/
bT2ajKIV7aveD08Jn7jcX67Of9PgNGmY7M4RLEzJIWAYErQzPyijkROAy2vbageA
K12eNDu73H0COjxJU2/5Yx4WPVd39WcPVb2oHImSaetRZ3ZYthBDxE4kM8ko9hQp
dqbTdQldmJ2gk7erXQr9d4/YaiEF/mrSKZ9TiQIlBBgBAgAPAhsMBQJaCclABQka
SkCVAAoJEEdITlBlbRbHvToP/1isTkoZwgYkqww8KtVp6sPEB67ofw/r6vnp5mxu
+gjGv/giYOQFhmue2SXz//h1l52H/OF2eUdjnLEc7/Y9i6JhR6PX1cgQiLOiJDU2
ZjVSVFNDNCQ7JHRVhxSftAEBqLwU0CiRdUASOkoNCO5p/U8plAGXGiFvVZiPqzg6
MtM2cbCGdqsSXSubQDQLZ42kNyOu03oIWQtTkVA3y/0w//LI1pO5HPpD9LGxq4HT
fZiNpz7A/+gOkC6G28Da8AmNSNTKxMkO1eZIMpscDkwT0G93qML2hACMMHqXHZDT
AtnGEB7f4Jgvf31aaNp8eP2vEuulqGOgei88u7ixtR3g01GpfcUqCsLF+R18duVI
XR9pfMEyNHR+qLOE4L/OFJpPjODVS2q2UIGpvDfVXLkSRv6YAY8M/8Yf4Ya6LB3+
3M8RcIEZ6ZvBWdGGB54WVelAtnzipBcMFqpzujfea+rk7+T39YTDRDd5rXIrRiXi
GMn5Db4onTtrbFa3QF0/sjBC8VMX+bvAM5b9z6ERLN7VyGLQBwfuKTbahpwoUoTv
yibDPPscA1ZLEEdloj0JrN5rFPF/RSkAl7HTIohwtgYZhDtJDw4XWLfdTGSvU9pM
HCSvSZa0U0tM2AVp4JzCwoIfBHuBi+RaAymT+Ja5UPN0b041I/Qlo7BWYXJLMLS3
Hxpd
=FMAy
-----END PGP PUBLIC KEY BLOCK-----
EOF
sudo apt update
madzohan commented 2 years ago

@rauldipeas the official needed key is stored here https://book.keybase.io/docs/server/our-code-signing-key

You can check fingerprint to make sure you have identical one

gpg --show-keys /usr/share/keyrings/keybase-keyring.gpg 
pub   rsa4096 2013-11-19 [SC] [expires: 2027-11-11]
      222B85B0F90BE2D24CFEB93F47484E50656D16C7
uid                      Keybase.io Code Signing (v1) <code@keybase.io>
sub   rsa4096 2013-11-19 [E] [expires: 2027-11-11]
# If you have no keybase installed, get key
curl -fsSL https://keybase.io/docs/server_security/code_signing_key.asc | sudo gpg --dearmor | sudo tee /usr/share/keyrings/keybase-keyring.gpg
# or if you have installed and get deprecation warning on apt update
sudo apt-key export 656D16C7 | sudo gpg --dearmour -o /usr/share/keyrings/keybase-keyring.gpg
#####
echo deb [signed-by=/usr/share/keyrings/keybase-keyring.gpg] http://prerelease.keybase.io/deb stable main | sudo tee /etc/apt/sources.list.d/keybase.list
sudo apt-key del 656D16C7
sudo apt update
# sudo apt install keybase
rauldipeas commented 2 years ago

@rauldipeas the official needed key is stored here https://book.keybase.io/docs/server/our-code-signing-key

You can check fingerprint to make sure you have identical one

gpg --show-keys /usr/share/keyrings/keybase-keyring.gpg 
pub   rsa4096 2013-11-19 [SC] [expires: 2027-11-11]
      222B85B0F90BE2D24CFEB93F47484E50656D16C7
uid                      Keybase.io Code Signing (v1) <code@keybase.io>
sub   rsa4096 2013-11-19 [E] [expires: 2027-11-11]
# If you have no keybase installed, get key
curl -fsSL https://keybase.io/docs/server_security/code_signing_key.asc | sudo gpg --dearmor | sudo tee /usr/share/keyrings/keybase-keyring.gpg
# or if you have installed and get deprecation warning on apt update
sudo apt-key export 656D16C7 | sudo gpg --dearmour -o /usr/share/keyrings/keybase-keyring.gpg
#####
echo deb [signed-by=/usr/share/keyrings/keybase-keyring.gpg] http://prerelease.keybase.io/deb stable main | sudo tee /etc/apt/sources.list.d/keybase.list
sudo apt-key del 656D16C7
sudo apt update
# sudo apt install keybase

Thank You for the link!

Just for the record, there's no need to use tee after gpg --dearmor, You can use -o option to write the output directly to any file.

curl -fsSL https://keybase.io/docs/server_security/code_signing_key.asc | sudo gpg --dearmor -o /usr/share/keyrings/keybase-keyring.gpg
julian-klode commented 2 years ago

JFTR, there's no need to dearmor either (gpg might in fact not be installed, that's the whole point of getting rid of apt-key), just make sure the filename ends with .asc if it's enarmored.

Espionage724 commented 2 years ago

JFTR, there's no need to dearmor either (gpg might in fact not be installed, that's the whole point of getting rid of apt-key), just make sure the filename ends with .asc if it's enarmored.

Thanks for this tip!

I don't quite like using sudo with wget directly to an important directory, but here's a one-liner I use:

wget -O '/tmp/code_signing_key.asc' 'https://keybase.io/docs/server_security/code_signing_key.asc' && sudo mv '/tmp/code_signing_key.asc' '/etc/apt/trusted.gpg.d/keybase.asc' && sync
heronhaye commented 2 years ago

Thanks, we're aware of the issue and will try to get a fix out in a few weeks.

smcgu commented 2 years ago

@rauldipeas the official needed key is stored here https://book.keybase.io/docs/server/our-code-signing-key

You can check fingerprint to make sure you have identical one

gpg --show-keys /usr/share/keyrings/keybase-keyring.gpg 
pub   rsa4096 2013-11-19 [SC] [expires: 2027-11-11]
      222B85B0F90BE2D24CFEB93F47484E50656D16C7
uid                      Keybase.io Code Signing (v1) <code@keybase.io>
sub   rsa4096 2013-11-19 [E] [expires: 2027-11-11]
# If you have no keybase installed, get key
curl -fsSL https://keybase.io/docs/server_security/code_signing_key.asc | sudo gpg --dearmor | sudo tee /usr/share/keyrings/keybase-keyring.gpg
# or if you have installed and get deprecation warning on apt update
sudo apt-key export 656D16C7 | sudo gpg --dearmour -o /usr/share/keyrings/keybase-keyring.gpg
#####
echo deb [signed-by=/usr/share/keyrings/keybase-keyring.gpg] http://prerelease.keybase.io/deb stable main | sudo tee /etc/apt/sources.list.d/keybase.list
sudo apt-key del 656D16C7
sudo apt update
# sudo apt install keybase

When will this configuration be distributed? I'm still seeing Keybase using apt-key. Separately, I had manually replicated this process for a number of systems only to find that Keybase configures a daily cron job to re-install the key using apt-key (#25240).

Also, in case it matters, my vote is against putting the key under /etc/apt/trusted.gpg.d/ because that continues the insecure nature of allowing the key to be broadly trusted by the system and goes against current guidance/defaults to use /usr/share/keyrings. 1, 2

If future updates to the key will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead.1

Also, I'm not sure if you've seen this guidance @julian-klode in regards to guidance that keys should be dearmored.

The reason why we avoid ASCII-armored files is that they can only be used by SecureApt in version 1.4 or later (which appeared in stretch). We also strongly recommend the use of HTTPS as it bypasses certain MITM attacks that would allow a hostile third party to inject OpenPGP key material in the repository setup. 1

  1. DebianRepository/UseThirdParty - Debian Wiki
  2. An exposed apt signing key and how to improve apt security
rphair commented 1 year ago

The problem still happens but (putting all the suggestions above together) I can convert the default installation into a compliant installation (assuming the keyid stays the same) with:

# apt-key export 656D16C7 > /usr/share/keyrings/keybase-keyring.asc
# cat > /etc/apt/sources.list.d/keybase.list
deb [signed-by=/usr/share/keyrings/keybase-keyring.asc] http://prerelease.keybase.io/deb stable main
# apt-key del 656D16C7
# apt update

Despite the deprecation warnings & what it says in the man page, apt-key is still functional in Ubuntu 22.10.

madzohan commented 1 year ago

@rphair it is recommended to store them in binary format gpg --dearmour -o ... also in case in future apt-key will be unavailable there is another trick to get the key :eyes: using gpg --keyserver 

sudo gpg --keyserver pgpkeys.mit.edu --recv-key 656D16C7
sudo gpg -a --export 656D16C7 | sudo gpg --dearmour -o /usr/share/keyrings/keybase-keyring.gpg
julian-klode commented 1 year ago

The recommended action for 23.04 and forward will be a deb822 sources file with an embedded armoured key in the signed-by field.

Older releases do not show deb822 sources in software-properties and I think embedded key support started happening in 22.04 hence that wasn't practical before.

But then repo owners can provide a .sources file to drop in, run apt update and people can use it. So nice.

While technically not mandatory, the other plan was to upgrade existing .list files to deb822 .sources in 23.10, as it is sure nice to have uniform file formats.

I'll push updated guidance in various places once 23.04 is out

rphair commented 1 year ago

@madzohan: it is recommended to store them in binary format gpg --dearmour -o

Thanks... I scripted it that way because of this comment above (in case anyone else is unsure which format to use).

luke-hill commented 1 month ago

FYI 'my' installation instructions I have copied across 3 separate ubuntu installs (18/20/24) are as follows....

curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
sudo apt-get install -y ./keybase_amd64.deb
run_keybase
rm ./keybase_amd64.deb

At what point can I edit my quick install notes to not throw the warnings and/or is there something in script form that will do it. There seems to be a lot of discussion above for workarounds e.t.c. - It would be good to know "the" correct way to do it.

Cheers

julian-klode commented 1 week ago

Final call, I rewrote the internal parts of apt to not call apt-key anymore yesterday, and drop installing it. It may land next week in Debian unstable and Ubuntu plucky development series.

Relatedly, a change to stop trusting trusted.gpg, where keybase's key resides is also imminent. There have been deprecation messages for this for years as well. This will render existing keybase installs unable to upgrade.

This also contains the updated guidance for using embedded Signed-by in a .sources field.