#22148 closed task (fixed)
debian package: apt-key is deprecated; new installation commands need to be documented
Reported by: | skyper | Owned by: | team |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Wiki content | Version: | |
Keywords: | linux package install apt-key gpg security | Cc: |
Description (last modified by )
The command to download and store the gpg-key for the ubuntu package need to be updated under Download as apt-key add
is deprecated as insecure, see https://manpages.debian.org/testing/apt/apt-key.8.en.html.
According to https://wiki.debian.org/DebianRepository/UseThirdParty?action=show&redirect=RepositoryInstructions#OpenPGP_Key_distribution the key should not be ascii-amored and stored in a separate directory beside /etc/apt/trusted.gpg.d/
, e.g. /usr/local/share/keyring/
, which might not exist so far, see https://wiki.debian.org/DebianRepository/UseThirdParty?action=show&redirect=RepositoryInstructions#Sources.list_entry
As this change only changed the commands but not the underlying security issue, I reverted it.
I only tested below on plain Debian, please, recheck on Ubuntu.
- The command to remove the key from
/etc/apt/trusted.gpg
and/etc/apt/trusted.gpg.d/
is something likesudo apt-key del $(apt-key list | grep -B1 "<josm-dev@openstreetmap.org>" | sed '$d' | cut -b 48-51,53-57)
- the key should be added to a local directory
sudo mkdir /usr/local/share/keyrings wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo gpg --dearmor > /usr/local/share/keyrings/josm.gpg
- the path to the gpg key file needs to be added to the source.list entry:
echo deb [signed-by=/usr/local/share/keyrings/josm.gpg] https://josm.openstreetmap.de/apt $(lsb_release -sc) universe | sudo tee /etc/apt/sources.list.d/josm.list > /dev/null
Attachments (0)
Change History (11)
comment:1 by , 3 years ago
Description: | modified (diff) |
---|
comment:2 by , 3 years ago
Description: | modified (diff) |
---|
comment:3 by , 3 years ago
Description: | modified (diff) |
---|
comment:4 by , 3 years ago
Description: | modified (diff) |
---|
comment:5 by , 3 years ago
Description: | modified (diff) |
---|
follow-up: 7 comment:6 by , 3 years ago
comment:7 by , 3 years ago
Replying to taylor.smock:
FTR, here is a docker file I made for testing the
validate
command:
FROM debian:latest RUN mkdir -p /etc/sources.list.d/ && \ apt-get update && \ apt-get install -y wget gnupg2 && \ wget -q https://josm.openstreetmap.de/josm-apt.key -O- | gpg --dearmor > /usr/share/keyrings/josm.gpg && \ echo 'deb [signed-by=/usr/share/keyrings/josm.gpg] https://josm.openstreetmap.de/apt alldist universe' >> /etc/sources.list.d/josm && \ apt-get update && \ apt-get install -y josm && \ apt-get clean
I still prefer /usr/local/share/keyrings/
over /usr/share/keyrings/
. In my eyes, it is a cleaner separation and I remember problems with files being modified by dpkg under /usr/share/
.
According to the man page, SOURCES.LIST(5), files under /etc/sources.list.d/
need a file extention, .list
for our case.
FROM debian:latest RUN mkdir -p /etc/sources.list.d/ /usr/local/share/keyrings/ && \ apt-get update && \ apt-get install -y wget gnupg && \ wget -q https://josm.openstreetmap.de/josm-apt.key -O- | gpg --dearmor > /usr/local/share/keyrings/josm.gpg && \ echo 'deb [signed-by=/usr/local/share/keyrings/josm.gpg] https://josm.openstreetmap.de/apt alldist universe' >> /etc/sources.list.d/josm.list && \ apt-get update && \ apt-get install -y josm && \ apt-get clean
I would expect the same instructions from Debian to work on Ubuntu. At least anything recent.
Why do we have all the code name directories for Ubuntu and alldist
for all other distributions?
On my Debian systems sudo is not installed or restricted but it is default on Ubuntu.
Edit: gnupg2
is a dummy package installing gnupg
comment:8 by , 3 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
I hope that I got everything correct and up-to-date now: diff
comment:9 by , 3 years ago
Quick comment: I just tried following the instructions on my Pi, and the gpg key instructions are kind of off.
wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo gpg --dearmor > /usr/local/share/keyrings/josm-apt.gpg
sudo
does not translate through the >
, so you would have to do something like this wget -q https://josm.openstreetmap.de/josm-apt.key -O- | gpg --dearmor | sudo tee /usr/local/share/keyrings/josm-apt.gpg
With that said, it printed to terminal which kind of messes up the terminal...
But that might be a difference between gpg1 and gpg2.
comment:10 by , 3 years ago
Does wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo gpg --dearmor -o /usr/local/share/keyrings/josm-apt.gpg
work?
FTR, here is a docker file I made for testing the
validate
command:I would expect the same instructions from Debian to work on Ubuntu. At least anything recent.