Public bug reported: PPAs are third party repositories. for security reasons, PGP keys for these must not be placed in /etc/apt/trusted.gpg.d, according to this document:
https://wiki.debian.org/DebianRepository/UseThirdParty they should instead be saved to /usr/share/keyrings and the generated .list file for the repo added should refer to its particular key by using a [signed-by=/usr/share/keyrings/...] argument. this ensures that the downloaded PGP key will only be used to verify a particular repository and is not globally available to verify package lists of all configured repositories (as are all keys found in /etc/apt/trusted.gpg.d). please fix add-apt-repository accordingly. Ubuntu 20.04.2 LTS software-properties-common 0.98.9.5 ** Affects: software-properties (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1933537 Title: add-apt-repository should store PGP keys in /usr/share/keyrings because /etc/apt/trusted.gpg.d is deprecated for third party repos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1933537/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
