Modify

Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#22148 closed task (fixed)

debian package: apt-key is deprecated; new installation commands need to be documented

Reported by: skyper Owned by: team
Priority: major Milestone:
Component: Wiki content Version:
Keywords: linux package install apt-key gpg security Cc:

Description (last modified by skyper)

The command to download and store the gpg-key for the ubuntu package need to be updated under Download as apt-key add is deprecated as insecure, see https://manpages.debian.org/testing/apt/apt-key.8.en.html.

According to https://wiki.debian.org/DebianRepository/UseThirdParty?action=show&redirect=RepositoryInstructions#OpenPGP_Key_distribution the key should not be ascii-amored and stored in a separate directory beside /etc/apt/trusted.gpg.d/, e.g. /usr/local/share/keyring/, which might not exist so far, see https://wiki.debian.org/DebianRepository/UseThirdParty?action=show&redirect=RepositoryInstructions#Sources.list_entry

As this change only changed the commands but not the underlying security issue, I reverted it.

I only tested below on plain Debian, please, recheck on Ubuntu.

  • The command to remove the key from /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/ is something like 
    sudo apt-key del $(apt-key list | grep -B1  "<josm-dev@openstreetmap.org>" | sed '$d' | cut -b 48-51,53-57)
  • the key should be added to a local directory 
    sudo mkdir /usr/local/share/keyrings
wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo gpg --dearmor > /usr/local/share/keyrings/josm.gpg
  • the path to the gpg key file needs to be added to the source.list entry: 
    echo deb [signed-by=/usr/local/share/keyrings/josm.gpg] https://josm.openstreetmap.de/apt $(lsb_release -sc) universe | sudo tee /etc/apt/sources.list.d/josm.list > /dev/null

Attachments (0)

Change History (11)

comment:1 by skyper, 22 months ago

Description: modified (diff)

comment:2 by skyper, 22 months ago

Description: modified (diff)

comment:3 by skyper, 22 months ago

Description: modified (diff)

comment:4 by skyper, 22 months ago

Description: modified (diff)

comment:5 by skyper, 22 months ago

Description: modified (diff)

comment:6 by taylor.smock, 22 months ago

FTR, here is a docker file I made for testing the validate command:

FROM debian:latest
RUN mkdir -p /etc/sources.list.d/ && \
      apt-get update && \
      apt-get install -y wget gnupg2 && \
      wget -q https://josm.openstreetmap.de/josm-apt.key -O- | gpg --dearmor > /usr/share/keyrings/josm.gpg && \
      echo 'deb [signed-by=/usr/share/keyrings/josm.gpg] https://josm.openstreetmap.de/apt alldist universe' >> /etc/sources.list.d/josm && \
      apt-get update && \
      apt-get install -y josm && \
      apt-get clean

I would expect the same instructions from Debian to work on Ubuntu. At least anything recent.

in reply to:  6 comment:7 by skyper, 22 months ago

Replying to taylor.smock:

FTR, here is a docker file I made for testing the validate command:

FROM debian:latest
RUN mkdir -p /etc/sources.list.d/ && \
      apt-get update && \
      apt-get install -y wget gnupg2 && \
      wget -q https://josm.openstreetmap.de/josm-apt.key -O- | gpg --dearmor > /usr/share/keyrings/josm.gpg && \
      echo 'deb [signed-by=/usr/share/keyrings/josm.gpg] https://josm.openstreetmap.de/apt alldist universe' >> /etc/sources.list.d/josm && \
      apt-get update && \
      apt-get install -y josm && \
      apt-get clean

I still prefer /usr/local/share/keyrings/ over /usr/share/keyrings/. In my eyes, it is a cleaner separation and I remember problems with files being modified by dpkg under /usr/share/.
According to the man page, SOURCES.LIST(5), files under /etc/sources.list.d/ need a file extention, .list for our case.

FROM debian:latest
RUN mkdir -p /etc/sources.list.d/ /usr/local/share/keyrings/ && \
      apt-get update && \
      apt-get install -y wget gnupg && \
      wget -q https://josm.openstreetmap.de/josm-apt.key -O- | gpg --dearmor > /usr/local/share/keyrings/josm.gpg && \
      echo 'deb [signed-by=/usr/local/share/keyrings/josm.gpg] https://josm.openstreetmap.de/apt alldist universe' >> /etc/sources.list.d/josm.list && \
      apt-get update && \
      apt-get install -y josm && \
      apt-get clean

I would expect the same instructions from Debian to work on Ubuntu. At least anything recent.

Why do we have all the code name directories for Ubuntu and alldist for all other distributions?
On my Debian systems sudo is not installed or restricted but it is default on Ubuntu.

Edit: gnupg2is a dummy package installing gnupg

Last edited 22 months ago by skyper (previous) (diff)

comment:8 by skyper, 22 months ago

Resolution: fixed
Status: newclosed

I hope that I got everything correct and up-to-date now: diff

comment:9 by taylor.smock, 22 months ago

Quick comment: I just tried following the instructions on my Pi, and the gpg key instructions are kind of off.

wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo gpg --dearmor > /usr/local/share/keyrings/josm-apt.gpg

sudo does not translate through the >, so you would have to do something like this wget -q https://josm.openstreetmap.de/josm-apt.key -O- | gpg --dearmor | sudo tee /usr/local/share/keyrings/josm-apt.gpg

With that said, it printed to terminal which kind of messes up the terminal...

But that might be a difference between gpg1 and gpg2.

comment:10 by skyper, 22 months ago

Does wget -q https://josm.openstreetmap.de/josm-apt.key -O- | sudo gpg --dearmor -o /usr/local/share/keyrings/josm-apt.gpg work?

comment:11 by taylor.smock, 22 months ago

Yes, it appeared to work.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.