|Anonymous | Login | Signup for a new account||2019-02-17 13:46 UTC|
|My View | View Issues | Change Log | Roadmap | Site Issue Support Ranking | Rules | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003601||Site||[All Projects] Documentation||public||2019-02-07 13:40||2019-02-12 13:47|
|Platform||OS||Debian GNU/Linux||OS Version|
|Summary||0003601: debian.drdteam.org suggests using deprecated "apt-key add" command|
Quote from apt-key(8)
|Steps To Reproduce|
Quote from https://debian.drdteam.org
|Additional Information||https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851774 [^]|
edited on: 2019-02-07 13:45
I suggest the following syntax to fix this issue:
wget -qO -http://debian.drdteam.org/drdteam.gpg [^] | sudo tee /etc/apt/trusted.gpg.d/drdteam.gpg | gpg -q -n --import --import-options import-show -
This will also dry-run GnuPG quietly to display the fingerprint for apt-secure(8) infrastructure. This requires GnuPG version 2.1.14 or later. No transitional package (gnupg2) is required in Debian, since Debian 9 (stretch).
(I didn't include HTTPS scheme here, as the original syntax doesn't either and apt can do fine securely with HTTP given apt-secure(8) precautions.)
edited on: 2019-02-07 16:43
By the way: GPG keyboxes are unsupported by apt(8) at this time. This means the following two variations of GPG commands are incompatible (and probably overengineered):
wget -qO -http://debian.drdteam.org/drdteam.gpg [^] | sudo gpg -q --import --import-options import-show --primary-keyring \ /etc/apt/trusted.gpg.d/drdteam.gpg -
wget -qO -http://debian.drdteam.org/drdteam.gpg [^] | sudo gpg -q --import --import-options import-show --no-default-keyring \ --keyring /etc/apt/trusted.gpg.d/drdteam.gpg -
The warning would be:
Should 0003610 be fixed as I expect it to be, the command should become:
wget -qO -http://debian.drdteam.org/drdteam.asc [^] | sudo tee /etc/apt/trusted.gpg.d/drdteam.asc | gpg -q -n --import --import-options import-show -
If not, then the right choice (as a workaround) would be:
wget -qO -http://debian.drdteam.org/drdteam.gpg [^] | sudo tee /etc/apt/trusted.gpg.d/drdteam.asc | gpg -q -n --import --import-options import-show -
|Is the gpg import line actually needed? Experimenting with a docker container it seems that just adding the key to trusted.gpg.d is enough?|
Quote from Blzut3
TL;DR: I think so?
In an unlikely event the debian.drdteam.org server would be compromised by a third-party, displaying the fingerprints and verifying them against some chain of trust (OpenPGP signatures or documentation in Doomseeker, for example), the GPG dry-run import line may mitigate the effectiveness of such attack. apt-key add also wouldn't display the fingerprint.
The man page says:
Quote from apt-key(8)
In an unlikely event the HTTPS website is also unavailable or blocked at a site, the same principle of key fingerprint verification would also apply to connections over insecure HTTP.
I believe it's better than blindly trusting the key. https:// may provide some additional security (0003606), on the assumption the webserver/HTTP(s) proxy is configured securely.
I'm probably going to actually end up submitting a package to Debian soon, called drdteam-archive-keyring.
Debian's soft freeze is tomorrow, so this won't make it to the next stable release however. It will be available from testing and unstable initially, maybe later backported to stretch-backports if feasible.
|Additionally, I'd like the drdteam-archive-keyring to prompt for a question "do you want to install drdteam.list to /etc/apt/sources.list.d?" with debconf. I'll do that, for convenience.|
By the way, ignore my suggestions too: Keys added to /etc/apt/trusted.gpg.d are valid signing keys for all repositories, including the main ones from your operating system. Yikes!
Fortunately, there is /usr/share/keyrings. I'll hope to set that up soon.
(oops, meant to post this yesterday)
|Only registered users can voice their support. Click here to register, or here to log in.|
|Supporters:||No one explicitly supports this issue yet.|
|Opponents:||No one explicitly opposes this issue yet.|
|2019-02-07 13:40||WubTheCaptain||New Issue|
|2019-02-07 13:44||WubTheCaptain||Note Added: 0020339|
|2019-02-07 13:45||WubTheCaptain||Note Edited: 0020339||View Revisions|
|2019-02-07 15:25||WubTheCaptain||Note Added: 0020344|
|2019-02-07 16:43||WubTheCaptain||Note Edited: 0020344||View Revisions|
|2019-02-07 16:59||WubTheCaptain||Note Added: 0020350|
|2019-02-10 07:39||Blzut3||Note Added: 0020357|
|2019-02-10 07:39||Blzut3||Assigned To||=> Blzut3|
|2019-02-10 07:39||Blzut3||Status||new => feedback|
|2019-02-11 14:26||WubTheCaptain||Note Added: 0020361|
|2019-02-11 14:26||WubTheCaptain||Status||feedback => assigned|
|2019-02-11 22:45||WubTheCaptain||Note Added: 0020383|
|2019-02-12 00:05||WubTheCaptain||Note Added: 0020384|
|2019-02-12 13:47||WubTheCaptain||Note Added: 0020385|
Questions or other issues? Contact Us.
|Copyright © 2000 - 2019 MantisBT Team|