pdns
pdns copied to clipboard
PowerDNS
pdns should be listed in extrepo (was: apt-key is deprecated, repo.powerdns.com directions need update)
- Program: N/A (repo.powerdns.com)
- Issue type: Bug report
Short description
From the apt-key man page in Debian 11.
Use of apt-key is deprecated... apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Environment
- Operating system: Debian 10, 11
- Software version: N/A
- Software source: repo.powerdns.com
Other information
The preferred method of managing keys is now to place them directly in /etc/apt/trusted.gpg.d.
Alternatively, if all systems which should be using the created keyring have at least apt version >= 1.4 installed, you can use the ASCII armored format with the "asc" extension instead...
Ergo, the existing directions for Debian/Ubuntu that read:
curl https://repo.powerdns.com/FD380FBB-pub.asc | sudo apt-key add -
can be simplified to
sudo curl -o /etc/apt/trusted.gpg.d/pdns.asc https://repo.powerdns.com/FD380FBB-pub.asc
or
curl https://repo.powerdns.com/FD380FBB-pub.asc | sudo tee /etc/apt/trusted.gpg.d/pdns.asc
for the more security minded (though this also dumps the key to the screen).
I have tested this works as expected on Debian 10.
Picking this up... the 'best practice' has now changed, as even dropping keys into /etc/apt/trusted.gpg.d doesn't solve all of the problems that were identified. I'll add something to this issue to describe how the text should appear now, and also verify if it's supported in Debian 10 as well as 11.
Of possible interest: https://salsa.debian.org/apt-team/apt/-/merge_requests/176
Hello,
I have been using the following if its of any help - and it works well with Ubuntu 22.04.
It essentially drops the key into an "apt-get-non-automatically-trusted" location /usr/share/keyrings/ and then points to the key for powerdns repo signing (via signed-by directive in the source.list file.
# Download gpg key
curl -s https://repo.powerdns.com/CBC8B383-pub.asc | sudo tee /usr/share/keyrings/pdns-CBC8B383.asc > /dev/null
# Create apt source.list file
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/pdns-CBC8B383.asc] http://repo.powerdns.com/ubuntu jammy-dnsdist-master main' | sudo tee /etc/apt/sources.list.d/dnsdist.list > /dev/null
sudo apt-get update
sudo apt-get install dnsdist
Except that /usr/share/keyrings is only good if the file comes with a package...
@zeha good catch, indeed as per https://wiki.debian.org/DebianRepository/UseThirdParty, I quote:
If future updates to the key will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead.
I also see that my Ubuntu 22.04 do have that folder /etc/apt/keyrings/ created now.
Ahh, interesting. I'll need to update my local systems to follow that practice.
Debian Bullseye systems do not have /etc/apt/keyrings, but Bookworm systems do. It's easy to create of course, but creation of the directory will need to be part of the directions.
Debian Bullseye systems do not have
/etc/apt/keyrings, but Bookworm systems do. It's easy to create of course, but creation of the directory will need to be part of the directions.
Yes, indeed. It is a pity this wasn't all prepared a long time ago. Anyway, /etc/apt/keyrings works and is future-proof (until this stuff changes again...).
I'd love a diff against https://gist.github.com/Habbie/e2e6b993aa611a0881784add3fe2977b if anybody feels so inclined :)
Here's my attempt: https://gist.github.com/jsoref/0fdc318f584bbdf8db1dcf2e9fb1ea42/revisions
Please check the output a bit before deploying as I haven't tried to feed the j2 data to it.
Please check the output a bit before deploying as I haven't tried to feed the j2 data to it.
Deployed, thanks!