Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[website] change instructions for adding .deb repository key #6470

Closed
uhoreg opened this issue Apr 8, 2018 · 17 comments

Comments

Projects
None yet
4 participants
@uhoreg
Copy link
Member

commented Apr 8, 2018

The apt-key man page recommends putting keyfiles directly in /etc/apt/trusted.gpg.d instead of using apt-key add, so the desktop install instructions should tell users to use something like sudo wget -O /etc/apt/trusted.gpg.d/riot.asc https://riot.iom/packages/debian/repo-key.asc instead of curl -L https://riot.im/packages/debian/repo-key.asc | sudo apt-key add -. As pointed out by sergio in https://matrix.to/#/!DdJkzRliezrwpNebLk:matrix.org/$1523209724748581QaXXX:matrix.org

@richvdh

This comment has been minimized.

Copy link
Member

commented Apr 9, 2018

why does it matter?

@richvdh

This comment has been minimized.

Copy link
Member

commented Apr 9, 2018

[my apt-key manpage doesn't recommend that, and surely it's better to avoid running wget as root?]

@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 9, 2018

Could you explain how does wget as root relates with problem?
Do not run wget as root! Run wget as user and then run mv as root!

@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 9, 2018

Update to Stretch! And read the man!
https://manpages.debian.org/stretch/apt/apt-key.8.en.html

@lampholder

This comment has been minimized.

Copy link
Member

commented Apr 16, 2018

Dunno what to do with this one :)
Our docs should strive to give clear, unambiguously good advice, but it's not clear to me whether we're falling short of that here.

@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2018

What is unclear or ambiguously with

$ sudo wget -O /etc/apt/trusted.gpg.d/riot.asc https://riot.im/packages/debian/repo-key.asc

or

$ wget -O /tmp/riot.asc https://riot.im/packages/debian/repo-key.asc
$ sudo cp /tmp/riot.asc /etc/apt/trusted.gpg.d/riot.asc

?

@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2018

$ wget -O - https://riot.im/packages/debian/repo-key.asc | sudo tee /etc/apt/trusted.gpg.d/riot.asc

@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2018

$ curl https://riot.im/packages/debian/repo-key.asc | sudo tee /etc/apt/trusted.gpg.d/riot.asc

@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2018

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895855
So the Debian Administrator's Handbook also says to use separate file and site will be fixed.

@uhoreg

This comment has been minimized.

Copy link
Member Author

commented Feb 14, 2019

why does it matter?

My understanding is that it makes management easier, in that if you want to later remove the key, it's just an rm statement, rather than trying to figure out the key ID and then issuing the proper apt-key del command..

Anyways, there is another suggestion for managing apt keys, documented at https://wiki.debian.org/DebianRepository/UseThirdParty, which makes apt only trust the riot.im key for signing the riot.im repository, rather for signing every repository on the system. One issue with recommending that method, though, is that apt in Ubuntu trusty and Debian jessie don't seem to support the signed-by tag, so it will not work on those systems. So if we want to go with those instructions, we would either need to provide different instructions depending on what distribution users are on, or drop support for Ubuntu trusty and Debian jessie.

@richvdh

This comment has been minimized.

Copy link
Member

commented Feb 14, 2019

https://wiki.debian.org/DebianRepository/UseThirdParty says a lot of things, but I think that most of them seem to be recommendations for things to do in addition to installing the keys rather than alternatives?

@uhoreg

This comment has been minimized.

Copy link
Member Author

commented Feb 14, 2019

Yes. The most relevant part of that page with respect to the archive signing key is that it recommends putting the key into a location that isn't automatically picked up by apt-secure, and specifically annotating the deb line with the location to the key.

@uhoreg

This comment has been minimized.

Copy link
Member Author

commented Apr 16, 2019

With the new signing keys, and repo location:

sudo wget -O /usr/share/keyrings/matrix-riot-im.gpg https://packages.riot.im/debian/repo-key.gpg
sudo sh -c "echo 'deb [signed-by=/usr/share/keyrings/matrix-riot-im.gpg] https://packages.riot.im/debian/ bionic main' > /etc/apt/sources.list.d/matrix-riot-im.list"
@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

Users must never put anything in /usr except /usr/local.
sudo wget -O /etc/apt/trusted.gpg.d ...

@532910

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

I'd prefer to use armored file:

sudo wget -O /etc/apt/trusted.gpg.d/riot.asc https://packages.riot.im/debian/repo-key.asc
@uhoreg

This comment has been minimized.

Copy link
Member Author

commented Apr 16, 2019

The instructions from #6470 (comment) are based on https://wiki.debian.org/DebianRepository/UseThirdParty which recommends not putting things in /etc/apt/trusted.gpg.d, as that causes apt to cause that key to be trusted to sign all repositories.

@532910

This comment has been minimized.

Copy link
Contributor

commented May 4, 2019

@uhoreg thank you for explanation!

Should be closed, right?

@uhoreg uhoreg closed this May 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.