AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)

Daniel Kahn Gillmor dkg at
Thu May 17 16:49:55 CEST 2018

On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote:
> As gnupg starts getting more and more problematic regarding some
> functions (see the discussions on command line/unattended use), Ubuntu
> Bionic AND Debian Buster dropped it from their debootstrap

I don't know about Ubuntu Bionic, but for Debian Buster this is simply

Buster relies on gpgv (which is part of the GnuPG suite) for validating
archive signatures.

> and replaced the apt-key management parts with own solutions.

apt-key has been deprecated for a while now.  I don't think i've seen a
secure use of apt-key that i can really encourage anywhere.

If you want to do sane cryptographic controls on repositories, you
should (a) place the key for a given repo somewhere sensible in the
filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add
a Signed-By: line to your .sources file (or a signed-by option to the
line in your .list file).

See sources.list(5) and for more details.

See also for suggestions about
improvements to scoped cryptographic authorities for the default
installation of debian repositories.

> Hence "apt-key import" will not work any more on debootstrap templates
> (thus in containerized environments) because gnupg is in process of
> removal from essential system parts.

Again, this is simply not true.  e-mail itself (let alone encrypted
mail) is not an essential system part, but cryptographic software update
verification *is* an essential system part, and debian continues to
depend on gpgv for that purpose.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list