metsma
commented
2 years ago The recent version script already installs to file "/etc/apt/trusted.gpg.d/ria-repository.gpg". https://github.com/open-eid/linux-installer/blob/master/install-open-eid.sh#L68
Closed ivokub closed 2 years ago
metsma
commented
2 years ago The recent version script already installs to file "/etc/apt/trusted.gpg.d/ria-repository.gpg". https://github.com/open-eid/linux-installer/blob/master/install-open-eid.sh#L68
ivokub
commented
2 years ago Yes, but as I have understood, then this is not the recommended approach anymore, see https://wiki.debian.org/DebianRepository/UseThirdParty#OpenPGP_Key_distribution.
Essentially, the problem is that the keys in /etc/apt/trusted.gpg.d/ are trusted to verify all repositories (which do not have signed-by set). This means that the third-party repo maintainer could potentially inject malicious packages. Now the recommended approach is to have a per-repository key. For that, the keys should be loaded not into /etc/apt/trusted.gpg.d/ but to any other place in the filesystem (and the current consensus being /usr/share/keyrings) and then indicate in the sources.list.d entry which key should be used to verify the package signatures:
deb [signed-by=/usr/share/keyrings/deriv-archive-keyring.gpg] https://deriv.example.net/debian/ stable mainSee also Stackoverflow answer which explains it quite well.
metsma
commented
2 years ago Ok I see. Your previous comment referred the other deprecated use case "trusted.gpg keyring (/etc/apt/trusted.gpg) .. apt-key" Addressed here c28d44330267663f0fc04e40c2f82a63cd67230e
ivokub
commented
2 years ago Yes, I initially though that trusted.gpg file (which was used by apt-key) and trusted.gpg.d directory are equivalent, but it seems these are independent deprecations.
Instead of installing the key for verifying the repository contents in the global keystore, it should be stored in file system and described in apt repository header. See warning when updating: