APT repository signing keys per APT sources.list - signed-by

Documentation [and repository-dist package] should be changed to the following style:

example, file:

/etc/apt/sources.list.d/docker.list

contents:

deb [signed-by=/usr/share/keyrings/docker.gpg] tor+https://download.docker.com/linux/debian bullseye stable


New signed-by method:

APT signing keys should be stored in folder /usr/share/keyrings/ instead of /etc/apt/trusted.gpg.d.

By using /usr/share/keyrings/ these keys as far as I understand aren’t used for anything - unless a file in folder /etc/apt/sources.list.d/ with file extension .list or in ifle /etc/apt/sources.list uses them by referring the path to these keys by using [signed-by=/usr/share/keyrings/keyname.gpg]. The advantage is that once the sources.list file is removed, it doesn’t matter if the APT signing key is still lingering on the disk since it would effectively do nothing except waste a totally negligible amount of space not worth mentioning.

This is possible since Debian 11 bullseye.


Old trusted.gpg.d method:

The disadvantage of the old method, placing APT signing keys in folder /etc/apt/trusted.gpg.d that all keys there are being used to verify all repositories. For example docker.gpg has no business to sign packages.debian.org.


Could you document this please and perhaps also update the wiki?

1 Like

Examples / done:

1 Like

New wiki template:
https://www.whonix.org/wiki/Template:Apt_key_add_derivative

Features:

Used here:
https://www.whonix.org/wiki/Special:WhatLinksHere/Template:Apt_key_add_derivative

1 Like
1 Like