On Sun, 2019-11-03 at 11:04:01 -0800, Russ Allbery wrote: > Timo Weingärtner <t...@debian.org> writes: > > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key > > is in there its owner can impersonate the official debian repos for > > default setups.¹ Please use some other path (such as > > /var/lib/extrepo/keyrings/) for the keyrings and connect it with > > "Signed-By:" [1]. > > > I just changed my /etc/apt/sources.list.d/debian.sources to have: > > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg > > I have a personal repository and a corresponding eyrie-archive-keyring > package to install the trusted keys. Is there a best practice document > somewhere for how I should set this up?
I don't think there is. The closest seems to be <https://wiki.debian.org/DebianRepository/UseThirdParty>, which is not covering acrhive-keyring packages. Personally I think I've been picking up this things from following closely apt's development and having to deal with a couple of these archive-keyring packages. > I'm currently installing keyrings > in /etc/apt/trusted.gpg.d because I thought that was how *-archive-keyring > packages were supposed to work, but this area seems a bit underdocumented > (or at least I've not found the right documentation). The official archive-keyring packages that use these, I think it's mostly for backwards compatibility reasons. I'd say best practice is to ship keyrings under /usr/share/keyrings/, and not under /etc/apt/trusted.gpg.d/. Split the keys into keyrings that will not give more access than necessary. Use «Signed-By:» if you ship source list files. And personally I ship those in deb822 format, because they are easier to read and deal with automatically, and make it easy to disable them after the fact, or even ship them disabled by default with the «Enabled: no» field. Thanks, Guillem