-
Notifications
You must be signed in to change notification settings - Fork 7.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Offering an alternative to the deprecated apt-key tool #11990
Conversation
[Use trusted.gpg.d instead of apt-key · Issue #11625 · docker/docker.github.io](#11625) As of Debian 10 / Ubuntu 20.10, apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04 Although adding keys directly to `/etc/apt/trusted.gpg.d`/ is suggested by apt-key deprecation message, as per [Debian Wiki](https://wiki.debian.org/DebianRepository/UseThirdParty) GPG keys for third party repositories should be added to `/usr/share/keyrings` and referenced with the `signed-by` option in the source.list.d entry. Providing a binary .gpg key instead of an ASCII Armored one might help shorten the lengthy command by removing the ` | gpg --dearmor ` bit.
Deploy preview for docsdocker ready! Built with commit 2ddacb4 |
I tried the following commands on ubuntu 20.10 while referencing this PR.
But
Did I make a mistake? |
Clearly pasted code from the wrong source. The intended change was to removed usage of `apt-add-repository` by creating an entry in /etc/apt/source.list.d/
Clearly pasted code from the wrong source. The intended change was to removed usage of `apt-add-repository` by creating an entry in /etc/apt/source.list.d/
No @m-tmatma you did not. But I did and I'm sorry I did! :) I clearly pasted from the wrong source since the intended change was to replace Thank you for pointing it out! ✌️ |
it worked. I used the following command on clean-installed ubuntu 20.10 of VMWARE 16 player.
|
You can remove the installation of I re-confirmed these commands on clean-installed Ubuntu 20.10.
|
software-properties-common provides add-apt-repository which we don't use anymore
software-properties-common provides add-apt-repository which we don't use anymore
True that! Changes made, thanks again :) ✌️ |
@denis-roy Thanks for the PR. @thaJeztah Could you PTAL? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Left a comment
Also would love @tianon to have a look at this 🤗
I should have searched for similar fixes, made one as well, which the aim first to remove Now things are doubled 😄. Good about this one is that it aligns the Ubuntu instructions as well. What could be adopted here from my PR is:
The remaining changes in my PR are to reformat instructions so that Raspbian is supported with all methods. I propose that this PR here is merged first, and I can merge and resolve conflicts with mine afterwards. |
@MichaIng - Thanks for your input
Definitely 👍
👍 here as well
Part of me agrees and the other part of me still want to leans towards Debian Wiki's Thanks again :) |
TL;DR: While I find /etc/apt/trusted.gpg.d vs /usr(/local)/share/keyrings an interesting topic, since both ways work just fine, it's not something that must block this PR from being merged IMO 😉. It's perfectly fine as it is my end! The Debian keyring package btw ships the keys in both directories: /var/lib/dpkg/info/debian-archive-keyring.conffiles
This means that those are not automatically updated with the package, but only if the admin interactively decides so during package upgrade or uses the I found this wiki, which suggests to use trusted.gpg.d: https://wiki.debian.org/SecureApt#Basic_concepts
On that argument: But no other configured repository is able to ship a signature that satisfies this key, otherwise the whole signing effort would all be nonsense 😄. And since Debian ships it's keyrings in trusted.gpg.d, the other way round, Debian signatures from Debian are accepted for all other repositories, so I don't see why this rule should apply for 3rd party repositories but not for Debian itself. If one does not trust a third party repository, it must not be added, that's it, and that's the same for the Debian repository. To me it looks like this Wiki page was written from a very single-sided perspective where Debian is trusted and 3rd party repositories are not trusted, but that is naturally not a trustable perspective. Interesting topic definitely, especially since we (DietPi OS) are using /etc/apt/trusted.gpg.d for third party repositories currently, and I'm now considering to switch to /usr/local/share/keyrings or similar to satisfy Debian's rules according to this newer Wiki, if those those turn out to be reasonable 🤔. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Btw: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! Sorry for the long delay; this one kept dropping down my list 😊 😓.
LGTM
Thank you to all who participated 👍 |
@denis-roy has these changes since been removed from the official docs? It seems so. |
@doolio quite possible, I have not kept up since these changes were merged. It's possible for you to look at the git history if you want some insight as to when and why it might have changed: https://github.com/docker/docs/commits/main/content/engine/install/debian.md |
Proposed changes
As of Debian 10 / Ubuntu 20.10, apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04
Although adding keys directly to
/etc/apt/trusted.gpg.d
/ is suggested by apt-key deprecation message, as per Debian Wiki GPG keys for third party repositories should be added to/usr/share/keyrings
and referenced with thesigned-by
option in the source.list.d entry.With the proposed changes, verifying the key by fingerprint is unneeded and was removed.
Applicable versions
The proposed changes are targeted at Debian 9 (Stretch) / Ubuntu 16.04 (Xenial) and onward, which is corresponding to Docker's own requirements described in the respective OS requirements sections (Debian.md & Ubuntu.md)
Side note
Providing a binary .gpg key instead of the current ASCII Armored one might help shorten the lengthy command by removing the need for the
| gpg --dearmor
bit.Related issues & PRs
apt-key add
seems unsafe - why not use a command that may only add a single key, and only AFTER fingerprint is verified? #8341