Hi Julian, On Thu, Jul 01, 2021 at 02:02:43PM +0200, Julian Andres Klode wrote: > Control: severity -1 minor > > On Thu, Jul 01, 2021 at 01:51:22PM +0200, Andreas Tille wrote: > > I have some packages for my own use (I mean there is no reason to expect > > that someone wants to pull things from there) on my private web page > > which I signed with my Debian key. This was working up to recently with > > apt-key. Since this was not working any more I tried to follow the > > advise given in the error message and started reading apt-secure(8) > > where I just found a hint to apt-key which is deprecated. > > There have been no changes on our side.
That's strange. > > IMHO users who are using third party repositories will get a broken > > system after upgrading to Debian 11 and there is no helpful hint given > > how to fix it. > > > > BTW, I did some > > > > apt-key del 578A0494D1C646D1 > > OK > > > > > added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg > > So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg > instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg? > > Did you read the apt-key(8) manual page? > > apt-key supports only the binary OpenPGP format (also known as > "GPG key public ring") in files with the "gpg" extension, not the > keybox database format introduced in newer gpg(1) versions > as default for keyring files. Binary keyring files > intended to be used with any apt version should therefore > always be created with gpg --export. > > This problem happened to a lot of people, ever since gpg 2 became > the default which switched --keyring to generate not keyrings, but > keybox databases. I admit the problem that it did not worked yet was just on my end - I simply copied over the wrong key. Sorry for that part of the noise. > > and added an according > > > > [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg] > > > > option to the sources.list line ... and it does not yet work. So I > > think it is critical to point to a solution that *really* works. > > Well, it should if you have a proper GPG keyring file, and not a > keybox file. ... the format was OK, just an old key. (Hiding behind some stone.) > > Due to potential breaking user systems I wonder if someone agrees > > with bumping the severity of the bug to serious. > > I disagree, and think this bug is a minor documentation issue, > your issue here is likely outside the computer. I stick to the opinion that apt-secure pointing to apt-key which is deprecated is simply the wrong thing. I would love to see some kind of example like [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg] directly and I think this should become part of Debian 11 release. But I will not play severity ping-pong - just stating my very personal opinion about some direct help in our docs. IMHO this is specifically important since *lots* of links that can be found by your favourite search engine are advertising the use of apt-key. Kind regards Andreas. -- http://fam-tille.de