Having trouble adding gpg key to apt keyring in Debian 9.0 (Stretch)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 20 19:56:57 CEST 2017


Hi Rex--

On Tue 2017-06-20 08:43:16 -0700, Rex Kneisley wrote:
> root at debian-rig:/home/rexk# wget -qO -
> https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -
> gpg: WARNING: nothing exported
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0

While it's a common recommendation, "apt-key add -" is generally a bad
idea, because it mixes the fetched keys in with all the other keys.
It's a better idea to fetch the keys for a given repository separately
and mark them as acceptable only for this specific repo.

Since you're using debian stable (stretch), you might want to read:

    https://wiki.debian.org/DebianRepository/UseThirdParty

From its suggestions, if you want to add the sublime repo (which i have
never vetted and am not personally recommending here), you might prefer
to do the following on debian stretch:

    wget -O /usr/share/keyring/sublimehq-pub.gpg.asc https://download.sublimetext.com/sublimehq-pub.gpg
    gpg --dearmor < /usr/share/keyring/sublimehq-pub.gpg.asc > /usr/share/keyring/sublimehq-pub.gpg
    echo 'deb [signed-by=/usr/share/keyring/sublimehq-pub.gpg] https://download.sublimetext.com/ apt/stable/' > /etc/apt/sources.list.d/sublime.list

This makes it so the sublime repository key is not accepted for
certifying the main debian repos (which it should not be doing).

I suspect that the problem you were having may have to do with the
ascii-armoring on the fetched file, which is why i've included the
--dearmor line in the middle of the three steps above.

hope this helps,

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170620/bf3359ce/attachment.sig>


More information about the Gnupg-users mailing list