Use [signed-by=...] for extra repository keys (!12) · Merge requests · Debian Installer / apt-setup

Philip Hands requested to merge philh/apt-setup:signed-by into master Oct 22, 2022

This narrows the trust offered to the keys associated with extra repos (e.g. local0).

Rather than simply trusting them across the board to sign anything (as is done when they are dropped into /etc/apt/trusted.gpg.d/), this switches to using the method recommended in apt-key(8) of putting them in /etc/apt/keyrings and then adding a [signed=by...] for that key to just the repository that it is supposed to sign.

Hopefully I've managed to arrange the commits so that it's clear that the earlier ones are just reorganising the code a bit to allow for the [signed-by=...] commit (that makes the actual change) to be nice and clean.

BTW This change was previously incorporated into !11 (closed), but I've split it out at @93sam's suggestion. It doesn't matter which of these two MRs gets merged first, as they apply pretty trivially in either order.

Use [signed-by=...] for extra repository keys

Merge request reports