search

wireapp / wire-desktop

:computer: Wire for desktop
https://wire.com/download/
GNU General Public License v3.0
1.08k stars 237 forks source link

apt-key is deprecated #8309

Open ChillerDragon opened 1 month ago

ChillerDragon commented 1 month ago

the wiki mentions

wget -q https://wire-app.wire.com/linux/releases.key -O- | sudo apt-key add -

Which throws a warning on my system (debian 12)

$  wget -q https://wire-app.wire.com/linux/releases.key -O- | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
RogueScholar commented 4 weeks ago

Good catch. I'd just update the wiki with this myself, but since it's locked down, here's how that page should read to reflect current APT best practices (including the transition to DEB822 sources files). A copy of the raw Markdown used to create this post is included at the bottom of this post for convenient copying and pasting in the Wiki by someone with the necessary permissions to do so.

  1. Ensure that the packages needed to securely access our repository and validate its signatures are installed:

    sudo apt --install-suggests --update --yes install apt-transport-https debsig-verify software-properties-common

  2. Import our PGP package signing key into an APT keyring so our repository can be trusted as a package source:

    sudo mkdir -pv /etc/apt/keyrings
wget -O- "https://wire-app.wire.com/linux/releases.key" | sudo gpg --batch --no-default-keyring \
 --keyring /etc/apt/keyrings/wireapp.gpg --import -
sudo chmod -c 0644 /etc/apt/keyrings/wireapp.gpg

  3. Make a copy of our bare package signing key from the new APT keyring file for debsig-verify to use:

    sudo mkdir -pv /usr/share/debsig/keyrings/D599C1AA126762B1
sudo gpg --batch --no-default-keyring --keyring /etc/apt/keyrings/wireapp.gpg \
 --output /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg \
 --export ABBA007D6E14E2DB5B283C45D599C1AA126762B1
sudo chmod -c 0644 /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg

  4. Create a DEB822-style .sources file in /etc/apt/sources.list.d for APT to add our repository as a source:

    echo 'Enabled: yes
Types: deb
Architectures: amd64
Signed-by: /etc/apt/keyrings/wireapp.gpg
URIs: https://wire-app.wire.com/linux/debian
Suites: stable
Components: main' | sudo tee /etc/apt/sources.list.d/wireapp.sources >/dev/null
sudo chmod -c 0644 /etc/apt/sources.list.d/wireapp.sources

  5. Create a debsig policy file to block the installation of any wire-desktop package not signed by us:

    sudo mkdir -pv /etc/debsig/policies/D599C1AA126762B1
echo '<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
 <Origin Name="Wire" id="D599C1AA126762B1" Description="Secure synchronous messaging application" />
 <Selection>
   <Required Type="origin" File="debsig.gpg" id="D599C1AA126762B1" />
 </Selection>
 <Verification MinOptional="0">
   <Required Type="origin" File="debsig.gpg" id="D599C1AA126762B1" />
 </Verification>
</Policy>' | sudo tee /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol >/dev/null
sudo chmod -c 0644 /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol

  6. Install the Wire desktop app using APT (after first updating its available packages list):

    sudo apt --update --yes install wire-desktop
Raw Markdown of updated Wiki documentation (click to expand) … ````text 1. Ensure that the packages needed to securely access our repository and validate its signatures are installed: ```sh sudo apt --install-suggests --update --yes install apt-transport-https debsig-verify ``` 2. Import our PGP package signing key to allow APT to trust our repository and the packages in it: ```sh sudo mkdir -pv /etc/apt/keyrings wget -O- "https://wire-app.wire.com/linux/releases.key" | sudo gpg --batch --no-default-keyring \ --keyring /etc/apt/keyrings/wireapp.gpg --import - sudo chmod -c 0644 /etc/apt/keyrings/wireapp.gpg ``` 3. Make a copy of our bare package signing key for `debsig-verify` from the new APT keyring file: ```sh sudo mkdir -pv /usr/share/debsig/keyrings/D599C1AA126762B1 sudo gpg --batch --no-default-keyring --keyring /etc/apt/keyrings/wireapp.gpg \ --output /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg \ --export ABBA007D6E14E2DB5B283C45D599C1AA126762B1 sudo chmod -c 0644 /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg ``` 4. Create a DEB822-style .sources file in `/etc/apt/sources.list.d` for APT to add our repository as a source: ```sh echo 'Enabled: yes Types: deb Architectures: amd64 Signed-by: /etc/apt/keyrings/wireapp.gpg URIs: https://wire-app.wire.com/linux/debian Suites: stable Components: main' | sudo tee /etc/apt/sources.list.d/wireapp.sources >/dev/null sudo chmod -c 0644 /etc/apt/sources.list.d/wireapp.sources ``` 5. Create a debsig policy file to block the installation of any `wire-desktop` package not signed by us: ```sh sudo mkdir -pv /etc/debsig/policies/D599C1AA126762B1 echo ' ' | sudo tee /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol >/dev/null sudo chmod -c 0644 /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol ``` 6. Install the Wire desktop app using APT (after first updating its available packages list): ```sh sudo apt --update --yes install wire-desktop ``` ```` …
ChillerDragon commented 4 weeks ago

@RogueScholar cool thanks for looking into this. Are all those steps needed? Seems to be more than what I am used to. As a new user I would be intimidated by 6 walls of commands to install a program.