New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of Signed-by in debian.sources #158
Comments
For a), we won't do this because For b), we'd need the support of the For c), this is complicated because I don't know how well-defined those paths are, especially over time, and I don't think I can reliably commit to maintain the variance if they do happen to change. I think https://salsa.debian.org/apt-team/apt/-/merge_requests/33 is probably also really relevant here (both David and Julian there are APT maintainers). 👀 In the short term, I think the best solution to your specific problem is going to be creating your own |
That consensus needs to be documented in apt-secure man page.
Imho that notice does not make much sense, as can be seen here a signed-by line can be as unspecific as the trusted-pgp.d directory (in fact the config dir would be easier to prune). But agreed, the APT team needs to sort that out.
yes that would certainly be the best option. |
The created
/etc/apt/sources.d/debian.sources
contain 2 entries for the current distribution, prepared by the debuerreotype scripts. The entry adds a Signed-By clause, which means apt will not use the keys in /etc/apt/trusted-pgp.d/.I noticed this because I wanted to delete older distribution trusted keys from the directory, but it had no effect. The reason why I want to remove those older keys is to defend against downgrade attacks.
The problem is now, that the file uses /usr/share/keyrings/debian-archive-keyring.gpg aggregate, which contains all of the keys.
I see three ways to fix it:
a) remove Signed-By lines and rely on trusted.d
b) create a per-codename aggregate keyring file /usr/share/keyrings/debian-archive-bookworm.gpg and replace the two Signed-By with it.
c) specify the actual fine grained keys. This requires 3 seperate entries, like so:
Not sure if the semantic of those files is well defined and if bookworm-stable.gpg is the actual key that will be used for the main release’ future minor updates?
The text was updated successfully, but these errors were encountered: