AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)

[Daniel Kahn Gillmor]

On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote:
> As gnupg starts getting more and more problematic regarding some
> functions (see the discussions on command line/unattended use), Ubuntu
> Bionic AND Debian Buster dropped it from their debootstrap

I don't know about Ubuntu Bionic, but for Debian Buster this is simply
false.

Buster relies on gpgv (which is part of the GnuPG suite) for validating
archive signatures.

> and replaced the apt-key management parts with own solutions.

apt-key has been deprecated for a while now.  I don't think i've seen a
secure use of apt-key that i can really encourage anywhere.

If you want to do sane cryptographic controls on repositories, you
should (a) place the key for a given repo somewhere sensible in the
filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add
a Signed-By: line to your .sources file (or a signed-by option to the
line in your .list file).

See sources.list(5) and
https://wiki.debian.org/DebianRepository/UseThirdParty for more details.

See also https://bugs.debian.org/877012 for suggestions about
improvements to scoped cryptographic authorities for the default
installation of debian repositories.

> Hence "apt-key import" will not work any more on debootstrap templates
> (thus in containerized environments) because gnupg is in process of
> removal from essential system parts.

Again, this is simply not true.  e-mail itself (let alone encrypted
mail) is not an essential system part, but cryptographic software update
verification *is* an essential system part, and debian continues to
depend on gpgv for that purpose.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180517/7b8525e9/attachment.sig>