[Bug 1862764] Re: add-apt-repository should use signed-by
My goal would be to switch to deb822 sources for this with the key embedded in the .sources file. We're still missing the ability to edit those files graphically however, that needs to be implemented first. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
I started using Ubuntu 22.04 and this issue started to occour. The 'add-apt-repository' command adds the gpg key of the PPA repository in the trusted.gpg file (/etc/apt/trusted.gpg) As commented above, the PPA repositories are not being included in the sources.list file (/etc/apt/sources.list) or in the directory /etc/apt/sources.list.d/ with the parameter [signed-by=] Workaround: While the fix doesn't come, the way is to adapt the repository in this way: 1- $ sudo add-apt-repository ppa:author/project 2- $ apt-key list 3- $ gpg --export | sudo tee /etc/apt/trusted.gpg.d/.gpg 4- $ sudo nano /etc/apt/sources.list.d/repository-name.list 5- Find & Replace: deb http://ppa.launchpad.net/author/project/ubuntu jammy main by deb [signed-by=/etc/apt/trusted.gpg.d/.gpg http://ppa.launchpad.net/author/project/ubuntu jammy main 6- Save the changes and run 'sudo apt update' again -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: python-apt (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
** Changed in: software-properties (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
I'm on Ubuntu 22.04 and I'm getting the warning of deprecated location for keys multiple times. I know that for now I can ignore it, but I'm pretty sure that a lot of people is using PPAS/External Repos and will be scared of the warnings. ** Also affects: python-apt (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Debian Bug tracker #995895 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995895 ** Also affects: software-properties (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995895 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
Can confirm all of the above. https://fostips.com/apt-key-deprecated-right-way-add-repository https://www.north-47.com/knowledge-base/how-to-securely-install-apps-on-debian-based-linux-distros/ With apt-key being deprecated and a transition to more secure (better) restriction of repository trust via "signed-by", we definitely need add- apt-repository to support this ASAP. After Ubuntu 20.04 apt-key will no longer be present and well before the next LTS we need tooling/documentation to leverage the new recommended approach. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
The 'signed-by' field is not supported in the python-apt classes that are used by add-apt-repository and the gui software-properties. - When adding a new source there's no argument to provide 'signed-by' or 'trusted' options, so those cannot be added via add-apt-repository or the gui software-properties until that is corrected, and this omission appears to exist upstream: https://git.launchpad.net/python-apt/tree/aptsources/sourceslist.py#n309 - Adding 'signed-by' to the output of the sources so it gets written to the sources list would be needed: https://git.launchpad.net/python-apt/tree/aptsources/sourceslist.py#n232 - And then it'll get ignored when subsequently reading the sources list, as any option fields present other than 'arch' and 'trusted' result in the line being flagged as invalid, this results in the source not being listed in the software-properties sources list - and that's actually how I ended up here trying to work out if that failure to display had been reported as a bug yet. So that too needs to be updated: https://git.launchpad.net/python-apt/tree/aptsources/sourceslist.py#n196 These three changes all appear to be upstream, and navigating the debian site was not as straight forward as here, so I'm not really clear on where to submit a patch to make it happen, nor how easy it would be to pull back here, so I figured I could throw the details here for someone that's more familiar with that! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
add-apt-repository also silently deletes the [trusted=yes] option, which is appropriate but undocumented. There needs to be clearer documentation on what options work and what doesn't. Hopefully all options are supported. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
According to https://wiki.debian.org/DebianRepository/UseThirdParty I have to put third-party keys in /usr/share/keyrings, but a command like add-apt-repository -y "deb [signed-by=/usr/share/keyrings/mykey.gpg] https://my.repo/ impish main" fails. If I understand correctly, this means that add-apt-repository cannot be used for third-party repos (at least not according to Debian’s security standards). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862764] Re: add-apt-repository should use signed-by
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: software-properties (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862764 Title: add-apt-repository should use signed-by To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1862764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs