apt-key Deprecation / Apt 2.2 changes

Interesting changes:

  • apt-key and trusted.gpg are slated for deprecation. Users should move on to trusted.gpg.d instead. Our guides need to be updated to reflect that. @torjunkie please feel free to look at it when you have time.

  • There’s discussion about moving from GPG entirely for apt…

New features

  • Various patterns related to dependencies, such as ?depends are now available (2.1.16)
  • The Protected field is now supported. It replaces the previous Important field and is like Essential, but only for installed packages (some minor more differences maybe in terms of ordering the installs).
  • The update command has gained an --error-on=any option that makes it error out on any failure, not just what it considers persistent ons.
  • The rred method can now be used as a standalone program to merge pdiff files
  • APT now implements phased updates. Phasing is used in Ubuntu to slow down and control the roll out of updates in the -updates pocket, but has previously only been available to desktop users using update-manager.

Phased updates is an interesting one as it supports gradually rolling out a new update to a subset of users, in case it has regressions so everybody isn’t affected at once while giving it some testing.

2 Likes

Awesome! Answered here:

Thanks to your notification, now no longer using apt-key in Whonix source code since version 15.0.1.7.2.

This is non-trivial.

There are (at least) two formats of gpg public keys.

  • ASCII-armored, .asc.
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFLYY+gBEACb5AqqsBuxzGlqSQZoua/CI/kr9YOagD9G8I+aBXoTUqyTSafy
JvamqxcV1mti0QKhyQsw43f340R9lGvdGTm7JhsESuHwbkAPxa6hOdjvNy//5NkK
[...]
-----END PGP PUBLIC KEY BLOCK-----
  • And also gpg public keys in binary format .gpg.

I prefer ASCII-armored over binary format since these files seem more “transparent”. Can be viewed in a simple text editor. Signing keys contents could be replaced by simple copy/paste. Though, these files cannot be interpreted without use of gpg as far as I know.

Keys for APT in /etc/apt/trusted.gpg.d/ must be in binary format.

Whonix ™ Signing Key is currently in ASCII-armored format. Debian’s deprecation of apt-key will make Whonix Packages for Debian Hosts and Whonix Host Enhancements more difficult.

Two options:

  • A) Should we add a command to convert .asc to .gpg? [1] [2]
  • B) Provide signing key download (also) in binary .gpg format?

[1]

temp_dir="$(mktemp --directory)"

cat "patrick.asc" | \
    gpg \
        --dearmor \
        --no-options \
        --homedir "$temp_dir" \
        --no-default-keyring \
        | sudo tee "/etc/apt/trusted.gpg.d/derivative.gpg" >/dev/null

[2] In Whonix, a wrapper to convert ASCII-armored format to binary format could be invented. Even a wrapper to simplify installation of gpg signing keys. No matter in what original format, convert if required then copy to apt signing key folder.


In other places in the wiki, seems like some third parties are providing their signing key in ASCII-armored format and others in binary format.

1 Like

I am for [A][2] because we keep providing the more transparent format and also help users deal with any third party provided format without them getting headaches about what .asc vs .gpg is or why this matters when all they just want to do, is securely install a piece of software and get going.

1 Like

What about Whonix ™ Packages for Debian Hosts and Whonix ™ Host Enhancements? Those users won’t have access to a wrapper. Offer signing key for download also in binary format?

Tools implemented:


RetroShare - Whonix is currently using:

sudo apt-key --keyring /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg add retroshare-pubkey.asc

In future that could become:

apt-key-install retroshare-pubkey.asc /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg

Looks good?

1 Like

Yeah, I guess an exception has to be made here.

1 Like

Perfect

1 Like

This has time.

apt-key is still available in Debian bullseye.

By then other things might have changed. No need to do this soon.

Debian dev guide for apt-key deprecation and alternative usage. Might help in documentation

1 Like

APT folder /etc/apt/trusted.gpg.d support ascii armored gpg keys since Debian bullseye. This will simplify everything discussed here.


1 Like
1 Like

@HulaHoop

apt-key(8) — apt — Debian testing — Debian Manpages

I see this is “mostly” deprecated:

apt-key is used to manage the list of keys used by apt to authenticate packages. Packages which have been authenticated using these keys will be considered trusted.

Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring. If such usage of apt-key is desired the additional installation of the GNU Privacy Guard suite (packaged in gnupg) is required.

apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

Is this the accepted and safe workaround using GPG (untested)?:

in short : retrieve the key locally

curl -s URL

add the key :

cat URL.pub | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/NAME.gpg --import

authorize the user _apt :

sudo chown _apt /etc/apt/trusted.gpg.d/NAME.gpg

1 Like

better:

Not good since it skips gpg fingerprint verification.

Not required. For comparison:

ls -la /etc/apt/trusted.gpg.d/

Files there are all owned by user root and group root and world readable.

Meaning whatever the key format .asc or .gpg.

sudo cp /path/to/gpg-public-key.asc /etc/apt/trusted.gpg.d/

No more gpg or apt-key required on the command line.

However, actually folder /usr/share/keyrings/ and signed-by should be used. See:

Does that make sense?

Yeah seems they extended the deprecation timeline to give users a chance to move on. Here is the suggested alternative usage from the bullseye release changelog:

  • bullseye is the final Debian release to ship apt-key. Keys should be managed by dropping files into /etc/apt/trusted.gpg.d instead, in binary format as created by gpg --export with a .gpg extension, or ASCII armored with a .asc extension. A replacement for apt-key list to manually investigate the keyring is planned, but work has not started yet.
1 Like