Fix apt-get ascii GPG key #19138
Fix apt-get ascii GPG key #19138
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
(even the oldest LTS-supported release of Debian has APT 1.8 🚀) |
|
Thank you for verifying the |
|
Oh right, it'll still error for things it doesn't know at all (just not for things it knows but aren't installed) 🤦 We could "fix" that by getting clever with patterns, but that's also somewhat dangerous (as the patterns then might match unrelated things). The loop is probably best. 😅 |
Changing the file extension for the GPG key to .asc lets apt-get know the GPG key is in ascii armor format, no need to dearmor. Co-authored-by: audunmg <audun@gangsto.org> Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
|
I patched the commit to revert the |
dvdksn
changed the title
|
Thanks for looking, @tianon ! <3 |
| sudo install -m 0755 -d /etc/apt/keyrings | ||
| curl -fsSL {{% param "download-url-base" %}}/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg | ||
| sudo chmod a+r /etc/apt/keyrings/docker.gpg | ||
| curl -fsSL {{% param "download-url-base" %}}/gpg -O /etc/apt/keyrings/docker.asc |
There was a problem hiding this comment.
Oh, erm, silly question; would need sudo curl now? (or | sudo tee)? Looks like /etc/apt/keyrings may not be accessible by everyone;
ls -l /etc/apt/keyrings
total 4
-rw-r--r-- 1 root root 2760 Jan 25 21:02 docker.gpgThe sudo chmod a+r /etc/apt/keyrings/docker.gpg was added for some cloud systems where permissions were not allowing traversing the directories, causing things to fail; #17070 (comment)
There was a problem hiding this comment.
ah, yes. Would sudo curl do or do we need tee?
There was a problem hiding this comment.
sudo curl is probably the easy one, but thinking if cURL depends on user-directories (therefore sudo potentially looking for config in root's home-dir and such. running cURL as root may have a slightly bigger attack surface (vs tee) as well, but perhaps that's just looking for issues.
I'm sure @tianon has opinions as well if curl | sudo tee is preferred over sudo curl
There was a problem hiding this comment.
Yeah, attack surface is all that came to mind for me (generally, running curl as root is probably safe, but not the best idea). That being said, if we use tee, we should probably also send the output to /dev/null, so I'd personally think sudo curl is probably the simpler answer to keep the docs easier to understand (users that paranoid are hopefully not even using this line and are instead doing things like fetching the key by full fingerprint from elsewhere and/or doing deeper verification after download).
There was a problem hiding this comment.
Yup, sudo curl is definitely easier to grasp, so perhaps it's an ok trade-off (readability over "fully correct").
We should look at the directory permissions though (the sudo chmod a+r /etc/apt/keyrings/docker.gpg)
as I recall there were some real-life scenarios outside of the user's control where things broke without #17070
5 participants
Running apt-get remove in a loop is probably the slowest possible way to uninstall packages.
apt-get will not fail if any of the packages are already uninstalled, so this is unneccesary.
Changing the file extension for the GPG key to .asc lets apt-get know the GPG key is in ascii armor format, no need to dearmor.