summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--apt-pkg/contrib/gpgv.cc3
-rw-r--r--cmdline/apt-key.in20
-rw-r--r--doc/apt-key.8.xml32
3 files changed, 36 insertions, 19 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index d956eaf00..28f3150c3 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -251,6 +251,9 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
setenv("APT_CONFIG", conf.get(), 1);
}
+ // Tell apt-key not to emit warnings
+ setenv("APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE", "1", 1);
+
if (releaseSignature == DETACHED)
{
auto detached = make_unique_FILE(FileGPG, "r");
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index e9187b423..baf3df5c3 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -671,10 +671,10 @@ prepare_gpg_home() {
# well as the script hopefully uses apt-key optionally then like e.g.
# debian-archive-keyring for (upgrade) cleanup did
if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ] && [ -z "$APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE" ]; then
- if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}\n' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -q gnupg; then
+ if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}\n' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -E -q 'gpg|gnupg'; then
cat >&2 <<EOF
Warning: The $DPKG_MAINTSCRIPT_NAME maintainerscript of the package $DPKG_MAINTSCRIPT_PACKAGE
-Warning: seems to use apt-key (provided by apt) without depending on gnupg or gnupg2.
+Warning: seems to use apt-key (provided by apt) without depending on gpg, gnupg, or gnupg2.
Warning: This will BREAK in the future and should be fixed by the package maintainer(s).
Note: Check first if apt-key functionality is needed at all - it probably isn't!
EOF
@@ -740,8 +740,18 @@ warn_on_script_usage() {
# (Maintainer) scripts should not be using apt-key
if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
echo >&2 "Warning: apt-key should not be used in scripts (called from $DPKG_MAINTSCRIPT_NAME maintainerscript of the package ${DPKG_MAINTSCRIPT_PACKAGE})"
- elif [ ! -t 1 ]; then
- echo >&2 "Warning: apt-key output should not be parsed (stdout is not a terminal)"
+ fi
+
+ echo >&2 "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))."
+}
+
+warn_outside_maintscript() {
+ # In del, we want to warn in interactive use, but not inside maintainer
+ # scripts, so as to give people a chance to migrate keyrings.
+ #
+ # FIXME: We should always warn starting in 2022.
+ if [ -z "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
+ echo >&2 "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))."
fi
}
@@ -760,6 +770,7 @@ case "$command" in
;;
del|rm|remove)
# no script warning here as removing 'add' usage needs 'del' for cleanup
+ warn_outside_maintscript
requires_root
foreach_keyring_do 'remove_key_from_keyring' "$@"
aptkey_echo "OK"
@@ -772,6 +783,7 @@ case "$command" in
merge_back_changes
;;
net-update)
+ warn_on_script_usage
requires_root
setup_merged_keyring
net_update
diff --git a/doc/apt-key.8.xml b/doc/apt-key.8.xml
index 1ab4d784e..2c8c3f655 100644
--- a/doc/apt-key.8.xml
+++ b/doc/apt-key.8.xml
@@ -25,7 +25,7 @@
<!-- Man page title -->
<refnamediv>
<refname>apt-key</refname>
- <refpurpose>APT key management utility</refpurpose>
+ <refpurpose>Deprecated APT key management utility</refpurpose>
</refnamediv>
&synopsis-command-apt-key;
@@ -37,13 +37,15 @@
authenticated using these keys will be considered trusted.
</para>
<para>
- Note that if usage of <command>apt-key</command> is desired the additional
+ Use of <command>apt-key</command> is deprecated, except for the use of
+ <command>apt-key del</command> in maintainer scripts to remove existing
+ keys from the main keyring.
+ If such usage of <command>apt-key</command> is desired the additional
installation of the GNU Privacy Guard suite (packaged in
- <package>gnupg</package>) is required. For this reason alone the programmatic
- usage (especially in package maintainer scripts!) is strongly discouraged.
- Further more the output format of all commands is undefined and can and does
- change whenever the underlying commands change. <command>apt-key</command> will
- try to detect such usage and generates warnings on stderr in these cases.
+ <package>gnupg</package>) is required.
+ </para>
+ <para>
+ apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
</para>
</refsect1>
@@ -63,7 +65,7 @@
<refsect1><title>Commands</title>
<variablelist>
- <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option></term>
+ <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option> (deprecated)</term>
<listitem>
<para>
Add a new key to the list of trusted keys.
@@ -85,7 +87,7 @@
</listitem>
</varlistentry>
- <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option></term>
+ <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option> (mostly deprecated)</term>
<listitem>
<para>
@@ -96,7 +98,7 @@
</listitem>
</varlistentry>
- <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option></term>
+ <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option> (deprecated)</term>
<listitem>
<para>
@@ -107,7 +109,7 @@
</listitem>
</varlistentry>
- <varlistentry><term><option>exportall</option></term>
+ <varlistentry><term><option>exportall</option> (deprecated)</term>
<listitem>
<para>
@@ -118,7 +120,7 @@
</listitem>
</varlistentry>
- <varlistentry><term><option>list</option>, <option>finger</option></term>
+ <varlistentry><term><option>list</option>, <option>finger</option> (deprecated)</term>
<listitem>
<para>
@@ -129,7 +131,7 @@
</listitem>
</varlistentry>
- <varlistentry><term><option>adv</option></term>
+ <varlistentry><term><option>adv</option> (deprecated)</term>
<listitem>
<para>
Pass advanced options to gpg. With <command>adv --recv-key</command> you
@@ -160,7 +162,7 @@
</listitem>
</varlistentry>
- <varlistentry><term><option>net-update</option></term>
+ <varlistentry><term><option>net-update</option> (deprecated)</term>
<listitem>
<para>
@@ -183,7 +185,7 @@
<refsect1><title>Options</title>
<para>Note that options need to be defined before the commands described in the previous section.</para>
<variablelist>
- <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option></term>
+ <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option> (deprecated)</term>
<listitem><para>With this option it is possible to specify a particular keyring
file the command should operate on. The default is that a command is executed
on the <filename>trusted.gpg</filename> file as well as on all parts in the