2021-11-26 - apt-key is dead... finally!

today i was preparing some dockerized SDK, with some out-of-distro tooling. the usuall stuff:

  1. find external repo
  2. add to apt sources.list.d
  3. then apt-key

and surprise! deprecation warning! fast-forward 23 seconds and everything is clear.

it's deprecated because of a fatal design flaw – keys added could be used to sign ANY package. even overwrite sth from the main distro (think: glibc, kernel…). this is the exact reason i drop using external repos a long time ago on my machines. if ever needed – only via docker or VM.

so what's current, better solution? obviously connect repo with a key. you can do this now with a simple syntax, when defining a repo file. here's how it goes:

  1. wget -O - https://some.custom.repo/key.gpg | gpg --dearmor > /usr/share/keyrings/repo-keyring.gpg
  2. vi /etc/apt/sources.list.d/repo.list

and there the key part (literally ;)):

deb [signed-by=/usr/share/keyrings/repo-keyring.gpg] https://some.custom.repo/debian bullseye main

followed by usuall:

apt update
apt install my-favourite-custom-package

and done! :)

blog/2021/11/26/2021-11-26_-_apt-key_is_dead..._finally.txt · Last modified: 2021/11/26 20:14 by basz
Back to top
Valid CSS Driven by DokuWiki Recent changes RSS feed Valid XHTML 1.0