(Package repository signing key) īuster.gpg: PGP public key block Public-Key (old) Install GPG keys in binary OpenPGP format as /usr/share/keyrings/example.gpg and use ` deb …` in apt’s sources.list configurationĪs an example, let’s demonstrate this with the Tailscale Debian repository for buster.ĭownloading the GPG file will give you an ascii-armored GPG file:.Install GPG keys in ascii-armored / old public key block format as /usr/share/keyrings/example.asc and use ` deb …` in apt’s sources.list configuration.Note and FTR: the Signed-By feature is available starting with apt 1.1 (so apt in Debian jessie/8 and older does not support it). There’s a much better approach to this: download the GPG key, make sure it’s in the appropriate format, then use it via ` deb ` in your apt’s sources list configuration. You need GnuPG (either gnupg2 or gnupg1) on your system for usage with apt-key.The signing key is considered valid for all your enabled Debian repositories (instead of only a specific one).You can’t easily script this via your preferred configuration management (the apt-key manpage clearly discourages programmatic usage).You do not see what you get before adding the GPG key to your global apt trust store. ![]() Many upstream projects provide Debian repository instructions like this:ĭo not follow this, for different reasons, including: Update on : clarified, that Signed-By requires apt >= 1.1, thanks Vincent Bernat (Blogging this, since this is a recurring anti-pattern I noticed at several customers and often comes up during deployments of 3rd party repositories.)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |