Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid using deprecated 'apt-key add' on Debian 12 #114

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

foop-sec
Copy link

@foop-sec foop-sec commented Nov 7, 2023

The official Debian Wiki[1] and the man page for apt-key[2] both mark the addition of signing keys via the apt-key add mechanism as deprecated.

One of the suggested alternatives is to place the key in the /usr/share/keyrings folder. This not only avoids using a deprecated feature, it also fixes a bug that will occur if the script is run as-is on Debian 12.

The bug happens, because the signed-by field in the prod.list file[3] references the signing key as follows

signed-by=/usr/share/keyrings/microsoft-prod.gpg

This location is not where the signing key is found, if it is imported by apt-key add.
This causes apt to not find the signing key and thus abort installation.

[1] https://wiki.debian.org/DebianRepository/UseThirdParty
[2] https://manpages.debian.org/bookworm/apt/apt-key.8.en.html
[3] https://packages.microsoft.com/config/debian/12/prod.list

Check which version of Debian the script is run as and place the key in
/usr/share/keyrings, as per the official recommendation.
@foop-sec foop-sec force-pushed the apt-key_deprecation_fix branch from c88f2e4 to 0aa2b63 Compare November 7, 2023 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant