Am 18.07.23 um 11:36 schrieb Andrew Ruthven:
Apt will then trust all the keyrings in
/etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to use
Signed-By to specify which GPG keyring to trust for our various additional
repositories.
Just out of curiosity:
What security benefit do
Hey,
This is almost what I did. We already have a postinst for all our
files/etc/apt/sources.list.d/X directories to substitute in distro names and
URLs, so I added:
# See if we need to fcopy a signing key in
key=$(grep signed-by= $2 | sed -E 's/.*signed-by=(.+?asc)( |\]).*/\1/')
if [ "$key" !=
I placed 'em under
/srv/salt/_files/etc/apt/keyrings/-archive-keyring.gpg and
repositories have
deb [signed-by=/etc/apt/keyrings/-archive-keyring.gpg arch=amd64]
https://...
gluster.sls uses:
-8<--
create-keyrings-dir:
file.directory:
- name: /etc/apt/keyrings/
- user: root
- group:
I would suggest you are using a hook with an fcopy command to put
those files to some other locations.
> On Tue, 18 Jul 2023 21:36:04 +1200, Andrew Ruthven
> said:
> Hey,
> I see that FAI since 5.8.7 will install package_config/CLASS.gpg
> into /etc/apt/trusted.gpg.d/ . Apt
Hey,
I see that FAI since 5.8.7 will install package_config/CLASS.gpg
into /etc/apt/trusted.gpg.d/ . Apt will then trust all the keyrings in
/etc/apt/trusted.gpg.d . This isn't really ideal, and I'd prefer to use
Signed-By to specify which GPG keyring to trust for our various additional
