Discussion:
Bug#968148: apt: please document replacement for 'apt-key list'
Add Reply
Piotr Engelking
2020-08-09 19:40:02 UTC
Reply
Permalink
Package: apt
Version: 2.1.8
Severity: wishlist

Running the 'apt key list' command gives the following information:

Warning: apt-key is deprecated. Manage keyring files in
trusted.gpg.d instead (see apt-key(8)).

Neither the manpage nor other documentation suggests what to replace
the command with. Please document it.

The command is useful for configuring sources.list and for debugging
repository signing problems.


-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt depends on:
ii adduser 3.118
ii debian-archive-keyring 2019.1
ii gpgv 2.2.20-1
ii libapt-pkg6.0 2.1.8
ii libc6 2.31-2
ii libgcc-s1 10.1.0-6
ii libgnutls30 3.6.14-2+b1
ii libseccomp2 2.4.3-1+b1
ii libstdc++6 10.1.0-6
ii libsystemd0 246-2

Versions of packages apt recommends:
ii ca-certificates 20200601

Versions of packages apt suggests:
ii apt-doc 2.1.8
pn aptitude | synaptic | wajig <none>
ii dpkg-dev 1.20.5
ii gnupg 2.2.20-1
pn powermgmt-base <none>

-- no debconf information
Julian Andres Klode
2020-08-10 09:40:01 UTC
Reply
Permalink
Control: severity -1 minor
Post by Piotr Engelking
Package: apt
Version: 2.1.8
Severity: wishlist
Warning: apt-key is deprecated. Manage keyring files in
trusted.gpg.d instead (see apt-key(8)).
Neither the manpage nor other documentation suggests what to replace
the command with. Please document it.
There is no replacement. Plans need to be made at some point, though
you can arguably just run gpg on the keyring files, like this:

gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/steam.gpg --list-key

Adding the deprecation messages now is more important than figuring out how
to replace the commands. It's 2020 and people are still using apt-key when
they should not be - a lot of apt-key adv or apt-key add commands are still
floating around.

I want to get a clear message out that apt-key is deprecated, and people should
stop using it. How we deal with the list use case is a different topic.

I also need to add a deprecation notice to apt update if a repository
was signed with a key from trusted.gpg instead of trusted.gpg.d, so we
can completely stop using trusted.gpg once bullseye (and Ubuntu 22.04) is
released, at which point all apt-key add use will naturally break :)
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Vincent van Adrighem
2020-09-03 07:40:02 UTC
Reply
Permalink
Package: apt
Followup-For: Bug #968148

Dear Maintainer,

Replacing the command is not what we want to achieve here, but a few
changes in the documentation would go a long way in resolving this.
Post by Piotr Engelking
Warning: apt-key is deprecated. Manage keyring files in
trusted.gpg.d instead (see apt-key(8)).
Warning: apt-key is deprecated. Keys can simply be downloaded and
managed separately in the trusted.gpg.d directory instead using
standard file management tools (see apt-key(8)).
Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main
keyring. If such usage of apt-key is desired the additional installation of the GNU Privacy Guard suite (packaged in gnupg) is
required.
Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main
keyring. If such usage of apt-key is desired the additional installation of the GNU Privacy Guard suite (packaged in gnupg) is
required.
New keys can be managed separately in the trusted.gpg.d directory instead using
standard file management tools (see apt-key(8)).
A replacement for "sudo apt-key add -" would be "sudo tee
/etc/apt/trusted.gpg.d/keyname.gpg"
Those last two lines are a nice addition because
apt-key add examples float around a lot on the web.

Thanks for maintaining the package. Hope this helps to resolve the
issue people have.

-- System Information:
Debian Release: bullseye/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Julian Gilbey
2020-12-30 22:30:01 UTC
Reply
Permalink
Post by Piotr Engelking
Package: apt
Followup-For: Bug #968148
Dear Maintainer,
Replacing the command is not what we want to achieve here, but a few
changes in the documentation would go a long way in resolving this.
Dear Maintainers,

I'd like to second this: I wanted to add a local key, and could not
find out how to do so now that apt-key is deprecated. I looked in
apt-secure(8), but the /etc/apt/trusted.gpg.d/ directory is not even
mentioned.

In the end, with some web searching, the only reference I found to the
"correct" way to do it was this bug report!

Please do update the manpages for apt-key and apt-secure in the way
that Vincent has suggested - ideally, in time for the bullseye freeze,
so that it is in the upcoming Debian stable. This makes it obvious
what to do instead of using apt-key: "just add/remove GPG keys to/from
the directory /etc/apt/trusted.gpg.d as desired".

Best wishes,

Julian

Loading...