[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

apt-key Deprecation / Apt 2.2 changes

Interesting changes:

  • apt-key and trusted.gpg are slated for deprecation. Users should move on to trusted.gpg.d instead. Our guides need to be updated to reflect that. @torjunkie please feel free to look at it when you have time.

  • There’s discussion about moving from GPG entirely for apt…

New features

  • Various patterns related to dependencies, such as ?depends are now available (2.1.16)
  • The Protected field is now supported. It replaces the previous Important field and is like Essential, but only for installed packages (some minor more differences maybe in terms of ordering the installs).
  • The update command has gained an --error-on=any option that makes it error out on any failure, not just what it considers persistent ons.
  • The rred method can now be used as a standalone program to merge pdiff files
  • APT now implements phased updates. Phasing is used in Ubuntu to slow down and control the roll out of updates in the -updates pocket, but has previously only been available to desktop users using update-manager.

Phased updates is an interesting one as it supports gradually rolling out a new update to a subset of users, in case it has regressions so everybody isn’t affected at once while giving it some testing.

2 Likes

Awesome! Answered here:

Thanks to your notification, now no longer using apt-key in Whonix source code since version 15.0.1.7.2.

This is non-trivial.

There are (at least) two formats of gpg public keys.

  • ASCII-armored, .asc.
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFLYY+gBEACb5AqqsBuxzGlqSQZoua/CI/kr9YOagD9G8I+aBXoTUqyTSafy
JvamqxcV1mti0QKhyQsw43f340R9lGvdGTm7JhsESuHwbkAPxa6hOdjvNy//5NkK
[...]
-----END PGP PUBLIC KEY BLOCK-----
  • And also gpg public keys in binary format .gpg.

I prefer ASCII-armored over binary format since these files seem more “transparent”. Can be viewed in a simple text editor. Signing keys contents could be replaced by simple copy/paste. Though, these files cannot be interpreted without use of gpg as far as I know.

Keys for APT in /etc/apt/trusted.gpg.d/ must be in binary format.

https://www.whonix.org/wiki/Whonix_Signing_Key is currently in ASCII-armored format. Debian’s deprecation of apt-key will make https://www.whonix.org/wiki/Whonix_Packages_for_Debian_Hosts more difficult.

Two options:

  • A) Should we add a command to convert .asc to .gpg? [1] [2]
  • B) Provide signing key download (also) in binary .gpg format?

[1]

temp_dir="$(mktemp --directory)"

cat "patrick.asc" | \
    gpg \
        --dearmor \
        --no-options \
        --homedir "$temp_dir" \
        --no-default-keyring \
        | sudo tee "/etc/apt/trusted.gpg.d/derivative.gpg" >/dev/null

[2] In Whonix, a wrapper to convert ASCII-armored format to binary format could be invented. Even a wrapper to simplify installation of gpg signing keys. No matter in what original format, convert if required then copy to apt signing key folder.


In other places in the wiki, seems like some third parties are providing their signing key in ASCII-armored format and others in binary format.

1 Like

I am for [A][2] because we keep providing the more transparent format and also help users deal with any third party provided format without them getting headaches about what .asc vs .gpg is or why this matters when all they just want to do, is securely install a piece of software and get going.

1 Like

What about https://www.whonix.org/wiki/Whonix_Packages_for_Debian_Hosts? Those users won’t have access to a wrapper. Offer signing key for download also in binary format?

Tools implemented:


https://www.whonix.org/wiki/RetroShare is currently using:

sudo apt-key --keyring /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg add retroshare-pubkey.asc

In future that could become:

apt-key-install retroshare-pubkey.asc /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg

Looks good?

1 Like

Yeah, I guess an exception has to be made here.

1 Like

Perfect

1 Like

This has time.

apt-key is still available in Debian bullseye.

By then other things might have changed. No need to do this soon.

Debian dev guide for apt-key deprecation and alternative usage. Might help in documentation

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]