AW: AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)

Fiedler Roman Roman.Fiedler at
Thu May 17 17:37:55 CEST 2018

> Von: Daniel Kahn Gillmor [mailto:dkg at]
> On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote:
> > As gnupg starts getting more and more problematic regarding some
> > functions (see the discussions on command line/unattended use), Ubuntu
> > Bionic AND Debian Buster dropped it from their debootstrap
> I don't know about Ubuntu Bionic, but for Debian Buster this is simply
> false.
> Buster relies on gpgv (which is part of the GnuPG suite) for validating
> archive signatures.

That seems just a misunderstanding, as my initial message mentioning the changes was imprecise from my side, the follow-up should have made it clear, that we are both talking about the same thing.

"""Yes, but all those features do not apply to apt-key or are of little relevance. Hence gpg seems to have been included just for minimal use (just adding/removing keys, everything is trusted as performed by root user anyway). I do not know the reasons behind them dropping gpg, but I guess the just needed a failesafe, minimalistic tool for that purpose and now they dropped gpg and run only with gpgv to my knowledge."""

> > and replaced the apt-key management parts with own solutions.
> apt-key has been deprecated for a while now.  I don't think i've seen a
> secure use of apt-key that i can really encourage anywhere.
> If you want to do sane cryptographic controls on repositories, you
> should (a) place the key for a given repo somewhere sensible in the
> filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add
> a Signed-By: line to your .sources file (or a signed-by option to the
> line in your .list file).
> See sources.list(5) and
> for more details.
> See also for suggestions about
> improvements to scoped cryptographic authorities for the default
> installation of debian repositories.

Thanks for the information. I thought, that the new model would be using "/etc/apt/trusted.gpg.d", as recommended by an online version of "apt-key".

But of course the per-repository pinning of keys could make key management easier as there is a n:1 link between repositories and keys, thus it is easier to avoid stale keys in the common key storage file.

> ...

More information about the Gnupg-users mailing list