Closed 01100001 closed 2 years ago
To integrate correctly with apt
which stores individual keys in a backward-compatible PGP/GPG key public ring (v4)
format in the directory /etc/apt/trusted.gpg.d/
two operations are required:
GPG keybox database version 1
format)PGP/GPG key public ring (v4)
)The following statement does it in one line but is hard to read here so is broken into the separate steps after:
KEY="11E9DE8848F2B65222AA75B8D1820DB22A11534E"; for cmd in "--keyserver hkps://keys.openpgp.org --recv-keys" "--output /etc/apt/trusted.gpg.d/weechat.gpg --export"; do sudo gpg --no-default-keyring --keyring /tmp/weechat.keyring $cmd $KEY; done
Separate steps shown for clarity:
KEY="11E9DE8848F2B65222AA75B8D1820DB22A11534E";
for cmd in "--keyserver hkps://keys.openpgp.org --recv-keys" \
"--output /etc/apt/trusted.gpg.d/weechat.gpg --export";
do sudo gpg --no-default-keyring --keyring /tmp/weechat.keyring $cmd $KEY;
done
This creates a temporary keybox keyring at /tmp/weechat.keyring
and then exports the key from there to where apt
expects to find it /etc/apt/trusted.gpg.d/weechat.gpg
.
$ file /tmp/weechat.keyring /etc/apt/trusted.gpg.d/weechat.gpg
/tmp/weechat.keyring: GPG keybox database version 1, created-at Sun Oct 24 11:14:28 2021, last-maintained Sun Oct 24 11:14:28 2021
/etc/apt/trusted.gpg.d/weechat.gpg: PGP/GPG key public ring (v4) created Sun Oct 11 08:02:10 2015 RSA (Encrypt or Sign) 4096 bits MPI=0xb7803826fbd30a65...
(Also provided for developer's convenience, at a glance.)
Incorporating @iam-TJ's suggestion, the documented instructions would look like (recommended):
sudo apt-get install dirmngr gpg-agent gpg apt-transport-https
sudo gpg # To initialize /root/.gnupg/ dir, then exit with Ctrl+C
KEY="11E9DE8848F2B65222AA75B8D1820DB22A11534E"; for cmd in "--keyserver hkps://keys.openpgp.org --recv-keys" "--output /etc/apt/trusted.gpg.d/weechat.gpg --export"; do sudo gpg --no-default-keyring --keyring /tmp/weechat.keyring $cmd $KEY; done
echo "deb https://weechat.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/weechat.list
echo "deb-src https://weechat.org/debian bullseye main" | sudo tee -a /etc/apt/sources.list.d/weechat.list
sudo apt update
sudo apt install weechat-curses weechat-plugins weechat-python weechat-perl
(Removing --no-default-keyring
didn't work in the above case.)
vs. mine (only fixing default instructions in the documentation):
sudo apt-get install dirmngr gpg-agent gpg apt-transport-https
sudo mkdir -p /usr/local/share/keyrings
sudo gpg --keyring /usr/local/share/keyrings/weechat-archive-keyring.gpg --keyserver hkps://keys.openpgp.org --recv-keys 11E9DE8848F2B65222AA75B8D1820DB22A11534E
echo "deb [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/weechat.list
echo "deb-src [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee -a /etc/apt/sources.list.d/weechat.list
sudo apt update
sudo apt install weechat-curses weechat-plugins weechat-python weechat-perl
Or alternatively (as previously mentioned):
sudo apt-get install dirmngr gpg-agent gpg apt-transport-https
sudo mkdir -p /usr/local/share/keyrings
sudo gpg # To initialize /root/.gnupg/ dir, then exit with Ctrl+C
sudo gpg --no-default-keyring --keyring /usr/local/share/keyrings/weechat-archive-keyring.gpg --keyserver hkps://keys.openpgp.org --recv-keys 11E9DE8848F2B65222AA75B8D1820DB22A11534E
echo "deb [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/weechat.list
echo "deb-src [signed-by=/usr/local/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee -a /etc/apt/sources.list.d/weechat.list
sudo apt update
sudo apt install weechat-curses weechat-plugins weechat-python weechat-perl
I am not sure gpg
needs to be run as root, wouldn't it be possible to import the key as unprivileged user and then through piping or output redirection install the key in the required place?
Can something like how nodesource or vscode imports the GPG key be done here with weechat? Both download the key directly instead of receiving it from a keyserver. It seems like it makes it easier to move it around and import it into a new keyring that way.
Also, isn't the path for trusted keyrings in /usr/share/keyrings
, not /usr/local/share/keyrings
?
/usr/share/keyrings/
is for 'system' package-manager installed whereas /usr/local/share/keyrings/
would be the place for administrator installed additions; at least that is the usual convention for system-wide mixing that don't tread on each other.
It seems like /use/share/keyrings
is preferred, at least according to Debian docs. I guess it is not conclusive though. I do see a bunch of 3rd party repos like riot.im using that path instead of the /usr/local
path.
For what it's worth, this is what I did to use the weechat repo on Debian. I modeled it to match the style of Running Visual Studio Code on Linux. Not sure if it's the best way but it seems like it works for me.
$ wget -q https://weechat.org/dev/info/debian_repository_signing_key -O weechat-archive-keyring.gpg
$ gpg --no-options --show-keys weechat-archive-keyring.gpg
pub rsa4096 2015-10-11 [SC]
11E9DE8848F2B65222AA75B8D1820DB22A11534E
uid WeeChat Debian Repository <debian@weechat.org>
sub rsa4096 2015-10-11 [E]
$ sudo install -o root -g root -m 644 weechat-archive-keyring.gpg /usr/share/keyrings/
$ sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" > /etc/apt/sources.list.d/weechat.list'
$ cat /etc/apt/sources.list.d/weechat.list
deb [signed-by=/usr/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main
Bug summary
Installation instructions at https://weechat.org/download/debian/ fail on Debian 11 "Bullseye" at least.
Issue starts with the required packages installation command provided
sudo apt-get install dirmngr gpg-agent apt-transport-https
as it doesn't installgpg
itself.Then the use of
--no-default-keyring
in thesudo gpg ...
command that follows causes other errors due to it not allowing for the/root/.gnupg/
directory to be created.(Couldn't have identified the issues without the help of the kind folks on
#weechat
IRC channel.)Steps to reproduce
(Simply following instructions at https://weechat.org/download/debian/ for Debian 11 "Bullseye" and applying fixes as necessary. Output of the commands is shown indented after each command—where necessary, for clarity.)
Install required packages as per the documentation:
Import the GPG key used to sign the repositories:
Install
gpg
to fix the issue of missing package:Run the command to import the GPG key used to sign the repositories — again:
It appears the
/root/.gnupg/
directory isn't being created automatically bygpg
due to use of the--no-default-keyring
flag.Current behavior
(See above. It's clearer if the output is shown with the commands so I added it above.)
Expected behavior
Installation should be possible by simply following the instructions in the documentation.
Suggested solutions
Include
gpg
among the packages to install, along with any other recommended packages.Remove
--no-default-keyring
from thesudo gpg
command.Alternatively, user should simply run
gpg
and exit it (Ctrl + C) for/root/.gnupg/
directory to be created. Then thesudo gpg
command, with the--no-default-keyring
flag, should run without issues.User could, of course, also create it manually, like so:
Additional information
N/A