AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 17 16:49:55 CEST 2018
On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote:
> As gnupg starts getting more and more problematic regarding some
> functions (see the discussions on command line/unattended use), Ubuntu
> Bionic AND Debian Buster dropped it from their debootstrap
I don't know about Ubuntu Bionic, but for Debian Buster this is simply
Buster relies on gpgv (which is part of the GnuPG suite) for validating
> and replaced the apt-key management parts with own solutions.
apt-key has been deprecated for a while now. I don't think i've seen a
secure use of apt-key that i can really encourage anywhere.
If you want to do sane cryptographic controls on repositories, you
should (a) place the key for a given repo somewhere sensible in the
filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add
a Signed-By: line to your .sources file (or a signed-by option to the
line in your .list file).
See sources.list(5) and
https://wiki.debian.org/DebianRepository/UseThirdParty for more details.
See also https://bugs.debian.org/877012 for suggestions about
improvements to scoped cryptographic authorities for the default
installation of debian repositories.
> Hence "apt-key import" will not work any more on debootstrap templates
> (thus in containerized environments) because gnupg is in process of
> removal from essential system parts.
Again, this is simply not true. e-mail itself (let alone encrypted
mail) is not an essential system part, but cryptographic software update
verification *is* an essential system part, and debian continues to
depend on gpgv for that purpose.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: not available
More information about the Gnupg-users