Logicupdated2023-02-07T19:23:31Zfit,console,Debian,if,Security,Ubuntu
This article explains how to safely add third-party OpenPGP keys and APT repositories in Debian, Ubuntu and Linux distributions based on it like Linux Mint, Pop!_OS, Elementary OS, etc. to replace the obsolete ones.apt-clave.
If you try to add an apt repository key withapt-claveOn Debian, Ubuntu and Linux distributions based on them you will see the following message: "Warning: apt-key is obsolete. Instead, manage the keychain files in Trusted.gpg.d (see apt-key(8))". Some recent versions of Ubuntu also display a warning when using an outdated key: "W: (...) The key is stored in the old Trusted.gpg keyring (/etc/apt/trusted.gpg), see section DEPRECATION in apt-key(8) for more information.".
Öapt-claveThe man page mentions that the "Use of apt-key is deprecated, except for use of apt-key del in maintenance scripts to remove existing keys from the master keyring". What else, "apt-key will last be available on Debian 11 and Ubuntu 22.04."
The reason for this change is that by adding an OpenPGP key used to sign an APT repository for/etc/apt/trusted.gpgÖ/etc/apt/trusted.gpg.d, APT unconditionally trusts the key in all other repositories configured on the system that don't have oneSigned by(see below), including the official Debian/Ubuntu repositories. As a result, any unofficial APT repository that has your signing key added to it will use the/etc/apt/trusted.gpgÖ/etc/apt/trusted.gpg.dYou can replace any package in the system. Therefore, this change was made for security reasons (your safety).
It is also worth noting that during theapt-claveThe deprecation notice says "Manage keychain files in Trusted.gpg.d instead", OhDebian-Wikiclaims otherwise. This is because OpenPGP keys are added/etc/apt/trusted.gpgmi/etc/apt/trusted.gpg.dit is also unsafe as mentioned above.
You can keep using apt-key for now as it still works. However, it would be a good idea to start switching to using itSigned byas explained below, especially if you are managing a third-party repository.
So what is the right and safe way to add third party (unofficial) repositories and their OpenPGP signing keys in Debian, Ubuntu and Linux distributions based on them like Linux Mint, Pop!_OS, Elementary OS etc.? to replace the deprecated apt-key?
1. Download the APT repository key
According to the Debian Wiki, the key should be downloaded via HTTPS to a location that only root can write to, for example/usr/share/keychains. The key name must contain a short name that describes the repository, followed bykeychain file. For example. when the repository is calledmecamp, the key file must have the namemyrepository-archive-keyring.gpg.
The OpenPGP key file may or may not be ASCII protected.To check if a key file is ASCII protected, download the key file and run this command (Note that the key extension can be .gpg, .asc, .key and probably others):
<repo-key>.gpg-DateiIf the output of this command resembles the following, the key is ASCII protected:
repo-key.gpg: PGP Public-Key-Public-Key-Sperre(viejo)Here's how to properly and securely download and add a repository signing key to your system:
- For ASCII protected OpenPGP keys
To download with wget and add an OpenPGP key to your system, use:
wget -O- <https://example.com/key/repo-key.gpg> | gpg --dearmor | sudo tee /usr/share/keyrings/<meurepositório>-archive-keyring.gpgWhat everything in this command means/means:
wgetturn the key downhttps://ejemplo.com/clave/repo-clave.gpgand send the key to stdout(-Ö-). Replace the URL here with the URL of the key you want to download and add to your systemgpg --lieber:ÖgpgThe command is the OpenPGP encryption and signature tool; that is--SchatzOption decompresses the input an OpenPGP ASCII armorsudo tee /usr/share/keyrings/<meurepositório>-archive-keyring.gpg: als Superuser (sudo), reads standard input, which in this case is the output provided bygpg --lieber, and write this/usr/share/keyrings/<meurepositório>-archive-keyring.gpgArchive. replace that<mirepositorium>name with a friendly name for the repository key you are adding
For example, to add the APT repository to the Signal app, you would use:
wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/signal-archive-keyring.gpgOr use the command given as an example in Debian Wiki (e.g. you need to run it as root after runningsudo -i; USAcurlinginstead ofwgetto download the key):
curl <https://example.com/key/repo-key.gpg> | gpg --dearmor > /usr/share/keyrings/<meurepositório>-archive-keyring.gpgExample of using this command to add signal apt repository:
curl https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > /usr/share/keyrings/signal-archive-keyring.gpg- Non-ASCII protected for OpenPGP keys
Download the OpenPGP key with wget and add it to your system with:
wget -O- <https://example.com/key/repo-key.gpg> | sudo tee /usr/share/keyrings/<myrepository-archive-keyring.gpg>Or use the command given as an example in Debian Wiki (e.g. you need to run it as root after runningsudo -i):
wget -O /usr/share/keyrings/<myrepository-archive-keyring.gpg> <https://example.com/key/repo-key.gpg>I didn't add an example here because I couldn't find any third-party repository that uses a non-ASCII protected OpenPGP key.
- How to import OpenPGP keys directly from a key server to a file
/usr/share/keychains:
sudo gpg --no-default-keyring --keyring /usr/share/keyrings/<myrepository>-archive-keyring.gpg --keyserver <hkp://keyserver.ubuntu.com:80> --recv-keys < Eindruck digital>Instead ofhkp://keyserver.ubuntu.com:80, You can also use another key server if you want.
Example where we will import the OpenPGP keyLinux-Aufstand Shutter PPAfor/usr/share/keyrings/linux-uprising-shutter-archive-keyring.gpg(The fingerprint can be obtained by clicking the green "Technical details about this PPA" link on the PPA page - it's under "Add this PPA to your system"):
sudo gpg --no-default-keyring --keyring /usr/share/keyrings/linux-uprising-shutter-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1CC3D16E460A94EE17FE581CEA8CACC073C3DB2AYou may also like...How to prevent a package from being updated on Ubuntu, Debian or Linux Mint [APT]
2. Add the sources.list repository entry
The third-party repository's source.list entries must be added in the/etc/apt/sources.list.ddirectory, not directly in/etc/apt/sources.listArchive.
Previously, a sources.list file was created from the/etc/apt/sources.list.dDirectory would look like this:
deb https://repository.example.com/debian/ main stableHowever, to be able to use the key added in step 1, the entry in sources.list should now look like this (/etc/apt/sources.list.d/<mirepositorio.lista>):
deb [firmado por=/usr/share/keyrings/<myrepository>-archive-keyring.gpg] <https://repository.example.com/debian/ stable main>Here it is important to note that if you also want to add thearco=amd64option along withSigned by, you must separate the two options with a space, like so:
deb [arch=amd64 assinado-by=/usr/share/keyrings/<myrepository>-archive-keyring.gpg] <https://repository.example.com/debian/ stable main>For example, to add the signal repository to your Debian/Ubuntu system, create a file (as root; for example, to open the nano command line text editor with this file:sudo nano /etc/apt/sources.list.d/signal.list) calledsign the listShe/etc/apt/sources.list.dwith the following content (provided you have already downloaded the key as described above, e.g/usr/share/keyrings/signal-archive-keyring.gpg):
deb [arch=amd64 assinado-by=/usr/share/keyrings/signal-archive-keyring.gpg] https://updates.signal.org/desktop/apt xenial principalRemember to runUpdate sudo aptafter adding a new subscription and repository key to update the software sources.
You can also add the repository in Deb822 file format, but in order not to complicate things further I won't explain it here. You can read about it on the Debian Wiki.
Maybe you like:How to find the package that provides a file (installed or not) in Ubuntu, Debian or Linux Mint
How to remove an existing OpenPGP key added to the APT Trusted Keyring (/etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d)
If you add OpenGPG keys as described above, you should remove the same key from /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d if you added it before. Without this, there is no additional security benefit.
Remove existing OpenPGP keys/etc/apt/trusted.gpg.ddirectoryit should be pretty easy. This is because the key file name needs to be very descriptive. For example, the gpg key filename of the tor repository is this directory on my systemdeb.torproject.org-keyring.gpg
So already existing keys are added to get rid of/etc/apt/trusted.gpg.dyou only have to delete the key files. You must do this as root. So open the file manager of your choice as root withAdministration://(e.g. to open a place as root in Nautilus, pressControl + Lso you can type and write in your address baradmin:///etc/apt/trusted.gpg.d) or delete them from the command line with:
sudo rm /etc/apt/trusted.gpg.d/<myrepository-keyring.gpg>The instructions below also apply to removing keys from/etc/apt/trusted.gpg.dDirectory.
how oneRemoving apt gpg keys stored in/etc/apt/trusted.gpg, things are a bit more complicated. Use the following command to list all imported OpenPGP APT keys on both/etc/apt/trusted.gpgmi/etc/apt/trusted.gpg.d:
matching key listThe keys stored in it/etc/apt/trusted.gpgshould appear at the top, followed by the buttons of the/etc/apt/trusted.gpg.dDirectory. You have to check the key.fluentlyto find out the key you want to delete. Typically, the UID should show the company or user who signed the key, followed by their email address.
key from/etc/apt/trusted.gpgare listed byapt-claveList as follows (example):
Release rsa4096 2016-04-22 [SC]
B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
uid [unknown] Oracle Corporation (VirtualBox file signing key) <info@virtualbox.org>
sub rsa4096 2016-04-22 [ES]
The key ID is the last 8 characters of the GPG key fingerprint (so in this example2980AECF).
To delete a key (any/etc/apt/trusted.gpgÖ/etc/apt/trusted.gpg.d), now you can use:
sudo apt-key del <KEY ID>For example, to remove the key from the example above, you would use:
sudo apt-key del2980AECFMaybe you like:How to list all packages in a repository on Ubuntu, Debian or Linux Mint [APT]
References:
- https://wiki.debian.org/DebianRepository/UseThirdParty
- https://askubuntu.com/a/1307181/1149075
- https://zebnemeth.wordpress.com/2021/01/15/install-signal-desktop-using-gpg/
- https://github.com/docker/docker.github.io/issues/11625
Thanks to you/ZebNemeth for theexcitation!