On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote:
> As gnupg starts getting more and more problematic regarding some
> functions (see the discussions on command line/unattended use), Ubuntu
> Bionic AND Debian Buster dropped it from their debootstrap

I don't know about Ubuntu Bionic, but for Debian Buster this is simply

Buster relies on gpgv (which is part of the GnuPG suite) for validating
archive signatures.

> and replaced the apt-key management parts with own solutions.

apt-key has been deprecated for a while now.  I don't think i've seen a
secure use of apt-key that i can really encourage anywhere.

If you want to do sane cryptographic controls on repositories, you
should (a) place the key for a given repo somewhere sensible in the
filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add
a Signed-By: line to your .sources file (or a signed-by option to the
line in your .list file).

See sources.list(5) and
https://wiki.debian.org/DebianRepository/UseThirdParty for more details.

See also https://bugs.debian.org/877012 for suggestions about
improvements to scoped cryptographic authorities for the default
installation of debian repositories.

> Hence "apt-key import" will not work any more on debootstrap templates
> (thus in containerized environments) because gnupg is in process of
> removal from essential system parts.

Again, this is simply not true.  e-mail itself (let alone encrypted
mail) is not an essential system part, but cryptographic software update
verification *is* an essential system part, and debian continues to
depend on gpgv for that purpose.


Attachment: signature.asc
Description: PGP signature

Gnupg-users mailing list

Reply via email to