[pkg-gnupg-maint] Bug#851774: Stop using apt-key add to add keys in generators/60local
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Feb 5 05:23:19 UTC 2017
On Sat 2017-02-04 19:48:54 -0500, Cyril Brulebois wrote:
> I'm fine with (discovering and) following best practices.
:)
> [ dkg wrote: ]
>> Regardless of the choice of filesystem location (fragment directory or
>> elsewhere), gpgv does want to see the curated keyrings it depends on
>> in binary format, so on to the next bit:
>
> I'm a bit confused here: apt-get update (in a sid chroot, not attempted
> in d-i) is fine with an armor key in the fragment directory; are you
> saying that using the Signed-by option for sources.list would mean
> having to have a (curated) keyring, and an non-armored version, hence
> the need for the transformation you're suggesting below?
Sorry, i guess it's possible that apt is doing something fancier that i
don't know about, then.
gpgv on its own expects the --keyring files it encounters to be either a
sequence of raw OpenPGP packets that together form a series of OpenPGP
certificates (a.k.a. "a keyring") or GnuPG's "keybox" format. AFAIK,
gpgv does not accept ascii-armored files for its --keyring argument.
maybe the apt folks can weight in on what's going on with armored
fragments? If it's converting them before handing them off to gpgv,
maybe you can just count on it to convert the files that aren't in the
fragment directory as well?
> Remember we're talking about adding extra repositories with custom d-i
> configuration, so I'm fine with people having broken stuff because they
> pasted a whole mail…
agreed, we can expect these folks to get the details right.
> No awk in d-i, so I'll go with the strict version and we'll see if we
> have users who could complain and why.
bummer, no awk!
> Depending on answers to various questions above, we'll see about adding
> new applets to busybox if needed.
I hope you saw my followup using uudecode instead of base64. However,
it's still awk-dependent. :/
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170205/d11fb0d5/attachment-0001.sig>
More information about the pkg-gnupg-maint
mailing list