Hi. Johannes Schauer Marin Rodrigues <jo...@debian.org> writes:
> It seems that /etc/apt/trusted.gpg is a historic relic and keys from it are > removed by the postinst of debian-archive-keyring with the following code > comment next to it: > > # remove keys from the trusted.gpg file as they are now shipped in fragment > # files in trusted.gpg.d OK. Good to know. Thanks for looking it up > I probably never should've added the --keyring argument. Its documentation > already states: > >> Since apt only supports a single keyring file and directory, respectively, >> you can not use this option to pass multiple files and/or directories. I did see that note. But for most other stuff in /etc the main config lives in /etc/thing, and optional extra stuff lives in /etc/thing.d/ so my (incorrect!) assumption was that the main keys live in /etc/apt/trusted.gpg and if I added my extra thing to /etc/apt/trusted.gpg.d/ then I'd have the full set of stuff. If we transitioned to /etc/apt/trusted.gpg.d/ being the main set of keys, we REALLY should delete /etc/apt/trusted.gpg to avoid any confusion. I do think --keyring can be useful if we change what it does. mmdebstrap can gather all the keys in all the --keyring arguments, put them all into a new directory, feed that to Dir::Etc::TrustedParts, and put that into /etc/apt/trusted.gpg.d/ in the final chroot. You can say that without any --keyring arguments it uses /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/, but with any --keyring you have to specify them all explicitly, including /etc/apt/.... > You can create a directory and copy your keys into it, yes. But the docs for > --keyring also suggest that you use signed-by instead. Is that not a better > solution than copying keys from debian-archive-keyring around? If you use > signed-by you also do not need the --keyring argument anymore. I saw that too. I had a reason to not do that, but I now think that reason is wrong. I was concerned that I could have different keys for signing the repository (InRelease file) and for signing the various packages inside it. But the only key I care about here is the repo-signing key, so that signed-by would have been just fine, I think. I like your documentation patch. And now that I realize that the repository key is the main one to care about, maybe --keyring isn't needed most of the time, as you say. Thanks for looking at this.
