From 6c4eb4f361814dd007ab28a2069d09efd2d22511 Mon Sep 17 00:00:00 2001 From: John Goerzen Date: Sun, 17 Apr 2022 05:45:00 -0500 Subject: [PATCH] Modernize apt installation instructions and improve security (#192) Modern Debian-derived distributions will issue a deprecation warning for the usage of apt-key add as listed here. Additionally, by using that apt-key command, the given key is recognized as valid for all repositories in /etc/apt/sources.list* -- not just this one. By using the more modern mechanism, we can avoid that warning and also import this key in such a way that it is only valid for this repository. Other projects are also using this method; for instance: https://apt.syncthing.net/ This post explains the security risks of apt-key: https://blog.cloudflare.com/dont-use-apt-key/ --- installation-linux-deb.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/installation-linux-deb.md b/installation-linux-deb.md index fd50d63..89c103e 100644 --- a/installation-linux-deb.md +++ b/installation-linux-deb.md @@ -22,13 +22,14 @@ sudo apt-get install dirmngr Then import the repository key to your `gpg` keyring and export it to your `apt` keyring: ``` +sudo mkdir -p /usr/local/apt-keys gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt -gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | sudo apt-key add - +gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | sudo tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null ``` Add the repository into your `apt` sources: ``` -echo 'deb http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | sudo tee /etc/apt/sources.list.d/yggdrasil.list +echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | sudo tee /etc/apt/sources.list.d/yggdrasil.list sudo apt-get update ```