docs: store ddev.gpg in keyrings instead of trusted.gpg.d

[ted933]

The Issue

On Ubuntu systems keys stored in /etc/apt/trusted.gpg.d validate packages for the whole linux installation. Custom sources should not use this directory for storing their keys as this creates a vulnerability.

See https://www.digitalocean.com/community/tutorials/how-to-handle-apt-key-and-add-apt-repository-deprecation-using-gpg-to-add-external-repositories-on-ubuntu-22-04 for detailed explanation.

How This PR Solves The Issue

Storing the ddev.gpg key in /etc/apt/keyrings/ mitigates this vulnerability.

Manual Testing Instructions

• Test docs on Ubuntu
• Test the docker-ce WSL2 installation script
• Test the docker desktop WSL2 installation script

Release/Deployment Notes

• New deployment of gitpod image
• New deployment of Codespaces package

[rfay]

Please take a look at

• Debian/Ubuntu keyring location should be /etc/apt/keyrings, not /etc/apt/trusted.gpg.d #4960

and

• 20230502 hakre secure apt gpg #4961

There's more to be done than just this little bit. But those will give you more context. Definitely want to do it, would like to do more than you have here.

[ted933]

Setting access rights corresponding to https://docs.docker.com/engine/install/ubuntu/

[rfay]

I think we'll want to make the changes more than just in the docs. If you want to take that on it's welcome. See the previous PR, for example, and the discussion in the previous issue.

[ted933]

I think we'll want to make the changes more than just in the docs.

Please be more precise. What else do you expect?

[rfay]

The things that have to be done are listed in the initial comment, #5172 (comment) - Just search for the many places that have to be changed as was done in #4961 and do them. That PR had a number of problems, but the idea was right.

[rfay]

I'm working on adding a commit to do the things.

[rfay]

@ted933 @hakre please review and see what you think, thanks!

[gilbertsoft]

See #4960 (comment)

[gilbertsoft]

This PR introduces two different locations for the keys, one in /usr/share/keyrings and a second in /etc/apt/keyrings, I think we should use one only!

[rfay]

@gilbertsoft The PR uses /usr/share/keyrings only for deb.sury.org packages, and it's because that's what they currently recommend for their case. https://packages.sury.org/php/README.txt

[gilbertsoft]

Thanks for the additional information. I had a look at the various links and it looks fine to me.

[rfay]

Thanks @hakre and @ted933 for all your work on this. @hakre you also got commit credit.