From f7f4a4cb5c99f2bfe7a2398c406048c92c9c93b2 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Sat, 23 Nov 2024 21:02:41 +0100 Subject: Remove the apt-key manual page and add documentation to apt-secure We move the user configuration section to the top of the manual page as that is going to be what most are interested in and rewrite it to cover all the modern ways to configure keys in a succinct way. --- doc/apt-secure.8.xml | 56 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 21 deletions(-) (limited to 'doc/apt-secure.8.xml') diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index 7e40a2b1c..0549011e4 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -60,6 +60,40 @@ and &synaptic; support this authentication feature, so this manpage uses APT to refer to them all for simplicity only. + + +User Configuration + + Keys should usually be included inside their corresponding .sources + by embedding the ASCII-armored key in the Signed-By option. + To do so, replace the empty line with a dot, and then indent all lines by two spaces. + See &sources-list; for more information. + + + + Alternatively, keys may be placed in /etc/apt/keyrings for local keys, + or /usr/share/keyrings for keys managed by packages, and then referenced + by Signed-By: /etc/apt/keyrings/example-archive-keyring.asc option in a .sources + file or using deb [signed-by=/etc/apt/keyrings/example-archive-keyring.asc] ... in the legacy + .list format. This may be useful for APT versions prior to 2.4, which do not + support embedded keys. ASCII-armored keys must use an extension of .asc, and + unarmored keys an extension of .gpg. + + + + To generate keys suitable for use in APT using GnuPG, you will need to use the + gpg --export-options export-minimal [--armor] --export command. + Earlier solutions involving --keyring file --import no longer work + with recent GnuPG versions as they use a new internal format ("GPG keybox database"). + + + + Note that a default installation already contains all keys to securely + acquire packages from the default repositories, so managing keys + is only needed if third-party repositories are added. + The extrepo package can be used to manage several + external repositories with ease. + Unsigned Repositories @@ -180,26 +214,6 @@ -User Configuration - - apt-key is the program that manages the list of keys used - by APT to trust repositories. It can be used to add or remove keys as well - as list the trusted keys. Limiting which key(s) are able to sign which archive - is possible via the in &sources-list;. - - Note that a default installation already contains all keys to securely - acquire packages from the default repositories, so fiddling with - apt-key is only needed if third-party repositories are - added. - - In order to add a new key you need to first download it - (you should make sure you are using a trusted communication channel - when retrieving it), add it with apt-key and - then run apt-get update so that apt can download - and verify the InRelease or Release.gpg - files from the archives you have configured. - - Repository Configuration @@ -243,7 +257,7 @@ See Also -&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-ftparchive;, +&apt-conf;, &apt-get;, &sources-list;, &apt-ftparchive;, &debsign;, &debsig-verify;, &gpg; -- cgit v1.2.3-70-g09d2