Timo Weingärtner <t...@debian.org> writes: > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key > is in there its owner can impersonate the official debian repos for > default setups.¹ Please use some other path (such as > /var/lib/extrepo/keyrings/) for the keyrings and connect it with > "Signed-By:" [1].
> I just changed my /etc/apt/sources.list.d/debian.sources to have: > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg I have a personal repository and a corresponding eyrie-archive-keyring package to install the trusted keys. Is there a best practice document somewhere for how I should set this up? I'm currently installing keyrings in /etc/apt/trusted.gpg.d because I thought that was how *-archive-keyring packages were supposed to work, but this area seems a bit underdocumented (or at least I've not found the right documentation). -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>