On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote: > As gnupg starts getting more and more problematic regarding some > functions (see the discussions on command line/unattended use), Ubuntu > Bionic AND Debian Buster dropped it from their debootstrap
I don't know about Ubuntu Bionic, but for Debian Buster this is simply false. Buster relies on gpgv (which is part of the GnuPG suite) for validating archive signatures. > and replaced the apt-key management parts with own solutions. apt-key has been deprecated for a while now. I don't think i've seen a secure use of apt-key that i can really encourage anywhere. If you want to do sane cryptographic controls on repositories, you should (a) place the key for a given repo somewhere sensible in the filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add a Signed-By: line to your .sources file (or a signed-by option to the line in your .list file). See sources.list(5) and https://wiki.debian.org/DebianRepository/UseThirdParty for more details. See also https://bugs.debian.org/877012 for suggestions about improvements to scoped cryptographic authorities for the default installation of debian repositories. > Hence "apt-key import" will not work any more on debootstrap templates > (thus in containerized environments) because gnupg is in process of > removal from essential system parts. Again, this is simply not true. e-mail itself (let alone encrypted mail) is not an essential system part, but cryptographic software update verification *is* an essential system part, and debian continues to depend on gpgv for that purpose. --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users