summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2024-12-07 16:09:10 +0000
committerJulian Andres Klode <jak@debian.org>2024-12-07 16:09:10 +0000
commit4063d96cdd9df79e1ca25410be30571d57296779 (patch)
tree1c5de4c1e0104d3539092c4ea3fdf33d8297e64b
parent9dbb3a242f4f7a53c3678fd4f37e03ccc8479113 (diff)
parent2bb8a2c71c12063e52220c3a3839e063f11a319d (diff)
Merge branch 'bye-apt-key' into 'main'
Stop using apt-key for verification and move apt-key to test/ See merge request apt-team/apt!406
-rw-r--r--apt-pkg/contrib/gpgv.cc8
-rw-r--r--cmdline/CMakeLists.txt11
-rw-r--r--debian/apt.install1
-rw-r--r--debian/apt.manpages2
-rw-r--r--doc/CMakeLists.txt1
-rw-r--r--doc/apt-key.8.xml246
-rw-r--r--doc/apt-secure.8.xml56
-rw-r--r--doc/po4a.conf1
-rw-r--r--doc/sources.list.5.xml4
-rw-r--r--methods/gpgv.cc6
-rw-r--r--test/integration/framework2
-rwxr-xr-xtest/integration/test-apt-key-used-in-maintainerscript43
-rwxr-xr-xtest/integration/test-method-gpgv-legacy-keyring4
-rw-r--r--test/interactive-helper/CMakeLists.txt8
-rw-r--r--test/interactive-helper/apt-key.in (renamed from cmdline/apt-key.in)0
15 files changed, 55 insertions, 338 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index 879e7635a..ce0bba0d1 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -232,7 +232,7 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
FileFd keyFd(k, FileFd::ReadOnly);
if (not keyFd.IsOpen())
{
- apt_warning(std::cerr, statusfd, fd, "The key(s) in the keyring %s are ignored as the file is not readable by user executing apt-key.\n", k.c_str());
+ apt_warning(std::cerr, statusfd, fd, "The key(s) in the keyring %s are ignored as the file is not readable by user executing gpgv.\n", k.c_str());
}
else if (APT::String::Endswith(k, ".asc"))
{
@@ -512,14 +512,14 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
{
if (errno == EINTR)
continue;
- apt_error(std::cerr, statusfd, fd, _("Waited for %s but it wasn't there"), "apt-key");
+ apt_error(std::cerr, statusfd, fd, _("Waited for %s but it wasn't there"), gpgv.c_str());
local_exit(EINTERNAL);
}
// check if it exit'ed normally …
if (not WIFEXITED(Status))
{
- apt_error(std::cerr, statusfd, fd, _("Sub-process %s exited unexpectedly"), "apt-key");
+ apt_error(std::cerr, statusfd, fd, _("Sub-process %s exited unexpectedly"), gpgv.c_str());
local_exit(EINTERNAL);
}
@@ -527,7 +527,7 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
if (WEXITSTATUS(Status) != 0)
{
// we forward the statuscode, so don't generate a message on the fd in this case
- apt_error(std::cerr, -1, fd, _("Sub-process %s returned an error code (%u)"), "apt-key", WEXITSTATUS(Status));
+ apt_error(std::cerr, -1, fd, _("Sub-process %s returned an error code (%u)"), gpgv.c_str(), WEXITSTATUS(Status));
local_exit(WEXITSTATUS(Status));
}
diff --git a/cmdline/CMakeLists.txt b/cmdline/CMakeLists.txt
index ef6f8b35b..4c5e85af7 100644
--- a/cmdline/CMakeLists.txt
+++ b/cmdline/CMakeLists.txt
@@ -11,14 +11,6 @@ add_executable(apt-extracttemplates apt-extracttemplates.cc)
add_executable(apt-internal-solver apt-internal-solver.cc)
add_executable(apt-dump-solver apt-dump-solver.cc)
add_executable(apt-internal-planner apt-internal-planner.cc)
-add_vendor_file(OUTPUT apt-key
- INPUT apt-key.in
- MODE 755
- VARIABLES keyring-filename
- keyring-removed-filename
- keyring-master-filename
- keyring-uri keyring-package)
-
# Link the executables against the libraries
target_link_libraries(apt apt-pkg apt-private)
@@ -54,6 +46,3 @@ install(TARGETS apt-internal-planner RUNTIME DESTINATION ${CMAKE_INSTALL_LIBEXEC
add_links(${CMAKE_INSTALL_LIBEXECDIR}/apt/planners ../solvers/dump planners/dump)
add_links(${CMAKE_INSTALL_LIBEXECDIR}/apt/solvers apt solver3)
-
-# Install the not-to-be-compiled programs
-INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/apt-key DESTINATION ${CMAKE_INSTALL_BINDIR})
diff --git a/debian/apt.install b/debian/apt.install
index 07bc737fd..eb465d498 100644
--- a/debian/apt.install
+++ b/debian/apt.install
@@ -7,7 +7,6 @@ usr/bin/apt-cache
usr/bin/apt-cdrom
usr/bin/apt-config
usr/bin/apt-get
-usr/bin/apt-key
usr/bin/apt-mark
usr/lib/*/libapt-private.so*
usr/lib/apt/apt-helper
diff --git a/debian/apt.manpages b/debian/apt.manpages
index 80dbabd44..582c145ba 100644
--- a/debian/apt.manpages
+++ b/debian/apt.manpages
@@ -2,7 +2,6 @@ usr/share/man/*/*/apt-cache.*
usr/share/man/*/*/apt-cdrom.*
usr/share/man/*/*/apt-config.*
usr/share/man/*/*/apt-get.*
-usr/share/man/*/*/apt-key.*
usr/share/man/*/*/apt-mark.*
usr/share/man/*/*/apt-secure.*
usr/share/man/*/*/apt-patterns.*
@@ -15,7 +14,6 @@ usr/share/man/*/apt-cache.*
usr/share/man/*/apt-cdrom.*
usr/share/man/*/apt-config.*
usr/share/man/*/apt-get.*
-usr/share/man/*/apt-key.*
usr/share/man/*/apt-mark.*
usr/share/man/*/apt-secure.*
usr/share/man/*/apt-patterns.*
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 493c36c08..2df0ce721 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -84,7 +84,6 @@ add_docbook(apt-man MANPAGE ALL
apt-extracttemplates.1.xml
apt-ftparchive.1.xml
apt-get.8.xml
- apt-key.8.xml
apt-mark.8.xml
apt_preferences.5.xml
apt-patterns.7.xml
diff --git a/doc/apt-key.8.xml b/doc/apt-key.8.xml
deleted file mode 100644
index c6c2d192e..000000000
--- a/doc/apt-key.8.xml
+++ /dev/null
@@ -1,246 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="no"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
-<!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
-<!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
-]>
-
-<refentry>
- <refentryinfo>
- &apt-author.jgunthorpe;
- &apt-author.team;
- &apt-email;
- &apt-product;
- <!-- The last update date -->
- <date>2024-02-20T00:00:00Z</date>
- </refentryinfo>
-
- <refmeta>
- <refentrytitle>apt-key</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="manual">APT</refmiscinfo>
- </refmeta>
-
- <!-- Man page title -->
- <refnamediv>
- <refname>apt-key</refname>
- <refpurpose>Deprecated APT key management utility</refpurpose>
- </refnamediv>
-
- &synopsis-command-apt-key;
-
- <refsect1><title>Description</title>
- <para>
- <command>apt-key</command> is used to manage the list of keys used
- by apt to authenticate packages. Packages which have been
- authenticated using these keys will be considered trusted.
- </para>
- <para>
- Use of <command>apt-key</command> is deprecated, except for the use of
- <command>apt-key del</command> in maintainer scripts to remove existing
- keys from the main keyring.
- If such usage of <command>apt-key</command> is desired the additional
- installation of the GNU Privacy Guard suite (packaged in
- <package>gnupg</package>) is required.
- </para>
- <para>
- apt-key(8) will last be available in Debian 12 and Ubuntu 24.04.
- </para>
-</refsect1>
-
-<refsect1><title>Supported keyring files</title>
-<para>apt-key supports only the binary OpenPGP format (also known as "GPG key
- public ring") in files with the "<literal>gpg</literal>" extension, not
- the keybox database format introduced in newer &gpg; versions as default
- for keyring files. Binary keyring files intended to be used with any apt
- version should therefore always be created with <command>gpg --export</command>.
-</para>
-<para>Alternatively, if all systems which should be using the created keyring
- have at least apt version >= 1.4 installed, you can use the ASCII armored
- format with the "<literal>asc</literal>" extension instead which can be
- created with <command>gpg --armor --export</command>.
-</para>
-</refsect1>
-
-<refsect1><title>Commands</title>
- <variablelist>
- <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option> (deprecated)</term>
- <listitem>
- <para>
- Add a new key to the list of trusted keys.
- The key is read from the filename given with the parameter
- &synopsis-param-filename; or if the filename is <literal>-</literal>
- from standard input.
- </para>
- <para>
- It is critical that keys added manually via <command>apt-key</command> are
- verified to belong to the owner of the repositories they claim to be for
- otherwise the &apt-secure; infrastructure is completely undermined.
- </para>
- <para>
- <emphasis>Note</emphasis>: Instead of using this command a keyring
- should be placed directly in the <filename>/etc/apt/trusted.gpg.d/</filename>
- directory with a descriptive name and either "<literal>gpg</literal>" or
- "<literal>asc</literal>" as file extension.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option> (mostly deprecated)</term>
- <listitem>
- <para>
-
- Remove a key from the list of trusted keys.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option> (deprecated)</term>
- <listitem>
- <para>
-
- Output the key &synopsis-param-keyid; to standard output.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>exportall</option> (deprecated)</term>
- <listitem>
- <para>
-
- Output all trusted keys to standard output.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>list</option>, <option>finger</option> (deprecated)</term>
- <listitem>
- <para>
-
- List trusted keys with fingerprints.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>adv</option> (deprecated)</term>
- <listitem>
- <para>
- Pass advanced options to gpg. With <command>adv --recv-key</command> you
- can e.g. download key from keyservers directly into the trusted set of
- keys. Note that there are <emphasis>no</emphasis> checks performed, so it is
- easy to completely undermine the &apt-secure; infrastructure if used without
- care.
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>update</option> (deprecated)</term>
- <listitem>
- <para>
- Update the local keyring with the archive keyring and remove from
- the local keyring the archive keys which are no longer valid.
- The archive keyring is shipped in the <literal>archive-keyring</literal> package of your
- distribution, e.g. the &keyring-package; package in &keyring-distro;.
- </para>
- <para>
- Note that a distribution does not need to and in fact should not use
- this command any longer and instead ship keyring files in the
- <filename>/etc/apt/trusted.gpg.d/</filename> directory directly as this
- avoids a dependency on <package>gnupg</package> and it is easier to manage
- keys by simply adding and removing files for maintainers and users alike.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>net-update</option> (deprecated)</term>
- <listitem>
- <para>
-
- Perform an update working similarly to the <command>update</command> command above,
- but get the archive keyring from a URI instead and validate it against a master key.
-
- This requires an installed &wget; and an APT build configured to have
- a server to fetch from and a master keyring to validate.
-
- APT in Debian does not support this command, relying on
- <command>update</command> instead, but Ubuntu's APT does.
-
- </para>
-
- </listitem>
- </varlistentry>
- </variablelist>
-</refsect1>
-
- <refsect1><title>Options</title>
-<para>Note that options need to be defined before the commands described in the previous section.</para>
- <variablelist>
- <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option> (deprecated)</term>
- <listitem><para>With this option it is possible to specify a particular keyring
- file the command should operate on. The default is that a command is executed
- on the <filename>trusted.gpg</filename> file as well as on all parts in the
- <filename>trusted.gpg.d</filename> directory, though <filename>trusted.gpg</filename>
- is the primary keyring which means that e.g. new keys are added to this one.
- </para></listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1><title>Deprecation</title>
-
- <para>Except for using <command>apt-key del</command> in maintainer scripts, the use of <command>apt-key</command> is deprecated. This section shows how to replace existing use of <command>apt-key</command>.</para>
-
-<para>If your existing use of <command>apt-key add</command> looks like this:</para>
-<para><literal>wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -</literal></para>
-<para>Then you can directly replace this with (though note the recommendation below):</para>
-<para><literal>wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc</literal></para>
-<para>Make sure to use the "<literal>asc</literal>" extension for ASCII armored
-keys and the "<literal>gpg</literal>" extension for the binary OpenPGP
-format (also known as "GPG key public ring"). The binary OpenPGP format works
-for all apt versions, while the ASCII armored format works for apt version >=
-1.4.</para>
-<para><emphasis>Recommended:</emphasis> Instead of placing keys into the <filename>/etc/apt/trusted.gpg.d</filename>
-directory, you can place them anywhere on your filesystem by using the
-<literal>Signed-By</literal> option in your <literal>sources.list</literal> and
-pointing to the filename of the key. See &sources-list; for details.
-Since APT 2.4, <filename>/etc/apt/keyrings</filename> is provided as the recommended
-location for keys not managed by packages.
-When using a deb822-style sources.list, and with apt version >= 2.4, the
-<literal>Signed-By</literal> option can also be used to include the full ASCII
-armored keyring directly in the <literal>sources.list</literal> without an
-additional file.
-</para>
-
- </refsect1>
-
-
- <refsect1><title>Files</title>
- <variablelist>
-
- &file-trustedgpg;
-
- </variablelist>
-
-</refsect1>
-
-<refsect1><title>See Also</title>
-<para>
-&apt-get;, &apt-secure;
-</para>
-</refsect1>
-
- &manbugs;
- &manauthor;
-
-</refentry>
-
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
index 7e40a2b1c..0549011e4 100644
--- a/doc/apt-secure.8.xml
+++ b/doc/apt-secure.8.xml
@@ -60,6 +60,40 @@
and &synaptic; support this authentication feature, so this manpage uses
<literal>APT</literal> to refer to them all for simplicity only.
</para>
+ </refsect1>
+
+<refsect1><title>User Configuration</title>
+ <para>
+ Keys should usually be included inside their corresponding <literal>.sources</literal>
+ by embedding the ASCII-armored key in the <literal>Signed-By</literal> option.
+ To do so, replace the empty line with a dot, and then indent all lines by two spaces.
+ See &sources-list; for more information.
+ </para>
+
+ <para>
+ Alternatively, keys may be placed in <filename>/etc/apt/keyrings</filename> for local keys,
+ or <filename>/usr/share/keyrings</filename> for keys managed by packages, and then referenced
+ by <literal>Signed-By: /etc/apt/keyrings/example-archive-keyring.asc</literal> option in a <literal>.sources</literal>
+ file or using <literal>deb [signed-by=/etc/apt/keyrings/example-archive-keyring.asc] ...</literal> in the legacy
+ <literal>.list</literal> format. This may be useful for APT versions prior to 2.4, which do not
+ support embedded keys. ASCII-armored keys must use an extension of <literal>.asc</literal>, and
+ unarmored keys an extension of <literal>.gpg</literal>.
+ </para>
+
+ <para>
+ To generate keys suitable for use in APT using GnuPG, you will need to use the
+ <command>gpg --export-options export-minimal [--armor] --export</command> command.
+ Earlier solutions involving <command>--keyring file --import</command> no longer work
+ with recent GnuPG versions as they use a new internal format ("GPG keybox database").
+ </para>
+
+ <para>
+ Note that a default installation already contains all keys to securely
+ acquire packages from the default repositories, so managing keys
+ is only needed if third-party repositories are added.
+ The <command>extrepo</command> package can be used to manage several
+ external repositories with ease.
+ </para>
</refsect1>
<refsect1><title>Unsigned Repositories</title>
@@ -180,26 +214,6 @@
</para>
</refsect1>
-<refsect1><title>User Configuration</title>
- <para>
- <command>apt-key</command> is the program that manages the list of keys used
- by APT to trust repositories. It can be used to add or remove keys as well
- as list the trusted keys. Limiting which key(s) are able to sign which archive
- is possible via the <option>Signed-By</option> in &sources-list;.
- </para><para>
- Note that a default installation already contains all keys to securely
- acquire packages from the default repositories, so fiddling with
- <command>apt-key</command> is only needed if third-party repositories are
- added.
- </para><para>
- In order to add a new key you need to first download it
- (you should make sure you are using a trusted communication channel
- when retrieving it), add it with <command>apt-key</command> and
- then run <command>apt-get update</command> so that apt can download
- and verify the <filename>InRelease</filename> or <filename>Release.gpg</filename>
- files from the archives you have configured.
- </para>
-</refsect1>
<refsect1><title>Repository Configuration</title>
<para>
@@ -243,7 +257,7 @@
<refsect1><title>See Also</title>
<para>
-&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-ftparchive;,
+&apt-conf;, &apt-get;, &sources-list;, &apt-ftparchive;,
&debsign;, &debsig-verify;, &gpg;
</para>
diff --git a/doc/po4a.conf b/doc/po4a.conf
index 0798eac68..3cf4d5ea8 100644
--- a/doc/po4a.conf
+++ b/doc/po4a.conf
@@ -15,7 +15,6 @@
[type: manpage] apt.8.xml $lang:$lang/apt.$lang.8.xml add_$lang:xml.add
[type: manpage] apt-get.8.xml $lang:$lang/apt-get.$lang.8.xml add_$lang:xml.add
[type: manpage] apt-cache.8.xml $lang:$lang/apt-cache.$lang.8.xml add_$lang:xml.add
-[type: manpage] apt-key.8.xml $lang:$lang/apt-key.$lang.8.xml add_$lang:xml.add
[type: manpage] apt-mark.8.xml $lang:$lang/apt-mark.$lang.8.xml add_$lang:xml.add
[type: manpage] apt-secure.8.xml $lang:$lang/apt-secure.$lang.8.xml add_$lang:xml.add
[type: manpage] apt-cdrom.8.xml $lang:$lang/apt-cdrom.$lang.8.xml add_$lang:xml.add
diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml
index 4fa7a245b..a463d4333 100644
--- a/doc/sources.list.5.xml
+++ b/doc/sources.list.5.xml
@@ -304,8 +304,8 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [.
and <filename>/etc/apt/keyrings</filename> for keyrings managed by the system operator.
If no keyring files are specified
the default is the <filename>trusted.gpg</filename> keyring and
- all keyrings in the <filename>trusted.gpg.d/</filename> directory
- (see <command>apt-key fingerprint</command>). If no fingerprint is
+ all keyrings in the <filename>trusted.gpg.d/</filename> directory.
+ If no fingerprint is
specified all keys in the keyrings are selected. A fingerprint will
accept also all signatures by a subkey of this key, if this isn't
desired an exclamation mark (<literal>!</literal>) can be appended to
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 947b585da..e5554b1e2 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -481,9 +481,9 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
else if (WEXITSTATUS(status) == 1)
return _("At least one invalid signature was encountered.");
else if (WEXITSTATUS(status) == 111)
- return _("Could not execute 'apt-key' to verify signature (is gnupg installed?)");
+ return _("Could not execute 'gpgv' to verify signature (is gnupg installed?)");
else
- return _("Unknown error executing apt-key");
+ return _("Unknown error executing gpgv");
}
string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outfile,
vector<string> const &keyFpts,
@@ -518,7 +518,7 @@ string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outf
{
std::string warning;
strprintf(warning,
- _("Key is stored in legacy trusted.gpg keyring (%s), see the DEPRECATION section in apt-key(8) for details."),
+ _("Key is stored in legacy trusted.gpg keyring (%s). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details."),
legacyKeyFiles[0].c_str());
Warning(std::move(warning));
Signers = std::move(legacySigners);
diff --git a/test/integration/framework b/test/integration/framework
index a64488f0e..6d4d0b07f 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -192,7 +192,7 @@ aptcache() { runapt apt-cache "$@"; }
aptcdrom() { runapt apt-cdrom "$@"; }
aptget() { runapt apt-get "$@"; }
aptftparchive() { runapt "${APTFTPARCHIVEBINDIR}/apt-ftparchive" "$@"; }
-aptkey() { runapt apt-key "$@"; }
+aptkey() { runapt "${APTTESTHELPERSBINDIR}/apt-key" "$@"; }
aptmark() { runapt apt-mark "$@"; }
aptsortpkgs() { runapt apt-sortpkgs "$@"; }
apt() { runapt apt "$@"; }
diff --git a/test/integration/test-apt-key-used-in-maintainerscript b/test/integration/test-apt-key-used-in-maintainerscript
deleted file mode 100755
index b5ed3279f..000000000
--- a/test/integration/test-apt-key-used-in-maintainerscript
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/sh
-set -e
-
-TESTDIR="$(readlink -f "$(dirname "$0")")"
-. "$TESTDIR/framework"
-
-setupenvironment
-unset APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE
-configarchitecture 'native'
-configdpkgnoopchroot
-
-buildingpkg() {
- local PKG="$1"
- shift
- setupsimplenativepackage "$PKG" 'native' '1' 'unstable' "$@"
- BUILDDIR="incoming/${PKG}-1"
- echo '#!/bin/sh
-apt-key list >/dev/null' > "${BUILDDIR}/debian/postinst"
- buildpackage "$BUILDDIR" 'unstable' 'main' 'native'
- rm -rf "$BUILDDIR"
-}
-buildingpkg 'aptkeyuser-nodepends' 'Depends: unrelated'
-buildingpkg 'aptkeyuser-depends' 'Depends: gnupg'
-
-insertinstalledpackage 'unrelated' 'native' '1'
-insertinstalledpackage 'gnupg' 'native' '1'
-testdpkgnotinstalled 'aptkeyuser-depends' 'aptkeyuser-nodepends'
-
-testsuccess apt install ./incoming/aptkeyuser-depends_*.changes -y
-cp rootdir/tmp/testsuccess.output apt.output
-testdpkginstalled 'aptkeyuser-depends'
-testfailure grep '^Warning: This will BREAK' apt.output
-testsuccess grep '^Warning: apt-key' apt.output
-
-testsuccess apt install --with-source ./incoming/aptkeyuser-nodepends_*.changes aptkeyuser-nodepends -y
-cp rootdir/tmp/testsuccess.output apt.output
-testdpkginstalled 'aptkeyuser-nodepends'
-testsuccess grep '^Warning: This will BREAK' apt.output
-testsuccess grep '^Warning: apt-key' apt.output
-
-testsuccess aptkey list
-cp rootdir/tmp/testsuccess.output aptkey.list
-testsuccess grep '^Warning: apt-key' aptkey.list
diff --git a/test/integration/test-method-gpgv-legacy-keyring b/test/integration/test-method-gpgv-legacy-keyring
index 3c3e4536c..8afa5671b 100755
--- a/test/integration/test-method-gpgv-legacy-keyring
+++ b/test/integration/test-method-gpgv-legacy-keyring
@@ -24,7 +24,7 @@ rm rootdir/etc/apt/trusted.gpg.d/*.gpg
testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B]
Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B]
Reading package lists...
-W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details." aptget update -q
+W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q
# 2.4.0 regression: If the InRelease file was signed with two keys, fallback to trusted.gpg did not
# work: It ran the fallback, but then ignored the result, as keys were still missing.
@@ -32,4 +32,4 @@ signreleasefiles 'Joe Sixpack,Marvin Paranoid'
testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1867 B]
Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1867 B]
Reading package lists...
-W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details." aptget update -q -omsg=with-two-signatures
+W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q -omsg=with-two-signatures
diff --git a/test/interactive-helper/CMakeLists.txt b/test/interactive-helper/CMakeLists.txt
index bfca6c8f6..0e0b57bcd 100644
--- a/test/interactive-helper/CMakeLists.txt
+++ b/test/interactive-helper/CMakeLists.txt
@@ -31,3 +31,11 @@ target_include_directories(longest-dependency-chain PRIVATE ${APTPRIVATE_INCLUDE
add_library(noprofile SHARED libnoprofile.c)
target_link_libraries(noprofile ${CMAKE_DL_LIBS})
+
+add_vendor_file(OUTPUT apt-key
+ INPUT apt-key.in
+ MODE 755
+ VARIABLES keyring-filename
+ keyring-removed-filename
+ keyring-master-filename
+ keyring-uri keyring-package)
diff --git a/cmdline/apt-key.in b/test/interactive-helper/apt-key.in
index dd1c52ab0..dd1c52ab0 100644
--- a/cmdline/apt-key.in
+++ b/test/interactive-helper/apt-key.in