Hallo Wouter Verhelst, 03.11.19 18:35 Wouter Verhelst: > The software from the package downloads the metadata index and validates > the GPG signature; and if everything checks out, adds configuration to > /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the > repository.
Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key is in there its owner can impersonate the official debian repos for default setups.¹ Please use some other path (such as /var/lib/extrepo/keyrings/) for the keyrings and connect it with "Signed-By:" [1]. I just changed my /etc/apt/sources.list.d/debian.sources to have: Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg Grüße Timo ¹ there are still other attack vectors as soon as you install a package from such a repo [1] sources.list(5)
signature.asc
Description: This is a digitally signed message part.