installer icon indicating copy to clipboard operation
installer copied to clipboard

Published 20 hours ago verified publisher icon adoptium

Debian installation instructions still use `/etc/apt/trusted.gpg.d` for storing the key

Open dhs-rec opened this issue 1 year ago • 3 comments

This violates https://wiki.debian.org/DebianRepository/UseThirdParty, which states:

... The certificate MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add.

If future updates to the certificate will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead.

Please update the instructions accordingly.

Maybe also take into account that Debian 13 and Ubuntu 24.04 will default to the s.c. "deb822" style *.sources files in favor of the old *.list files in /etc/apt/sources.list.d. See man 5 sources.list for the details.

dhs-rec avatar Mar 05 '24 07:03 dhs-rec

I believe these are the instructions the issue author is referring to:

https://github.com/adoptium/adoptium.net/blob/675e64ef0eb2b814899789301fb59635a39c195b/content/asciidoc-pages/installation/linux/index.adoc#L46

wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor | tee /etc/apt/trusted.gpg.d/adoptium.gpg > /dev/null

From a quick glance at the third-party repository link, we want mkdir -p /etc/apt/keyrings and to place the certificate there?

jiekang avatar Mar 18 '24 13:03 jiekang

From a quick glance at the third-party repository link, we want mkdir -p /etc/apt/keyrings and to place the certificate there?

Yes, except I'd make that [[ -d /etc/apt/keyrings ]] || mkdir -p /etc/apt/keyrings, since recent Debian/Ubuntu versions should already have it.

Oh, and btw., ...| tee somefile > /dev/null can be replaced with ... >somefile.

dhs-rec avatar Mar 18 '24 13:03 dhs-rec

Or, even better: Also provide a package for managing the keyring file going forward, in which case the instructions for the user would change to [[ -d /usr/share/keyrings ]] || mkdir -p /usr/share/keyrings (and place the bootstrap keyring file there).

dhs-rec avatar Mar 18 '24 13:03 dhs-rec

Why has it taken so long to implement a simple change to your online documentation for installing your product? This issue has been open for a year....

In addition to what was already mentioned above, you need to include sudo unless you expect the user to run the command to download and install the key as root (which is a bad idea for obvious reasons).

Use the following instead:

wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor | sudo tee /etc/apt/keyrings/adoptium.gpg > /dev/null

Note: the example includes installing the key under /etc/apt/keyrings, the new preferred location.

The apt repository file should reference the GPG key as well:

deb [signed-by=/etc/apt/keyrings/adoptium.gpg] https://packages.adoptium.net/artifactory/deb noble main

w4jew-aprsfoundation avatar Mar 10 '25 22:03 w4jew-aprsfoundation

@w4jew-aprsfoundation - this project accepts fixes and improvements from new contributors and especially appreciate PRs to documentation, please feel free to create a PR to fix the file that was mentioned in https://github.com/adoptium/installer/issues/834#issuecomment-2003937296

smlambert avatar Mar 10 '25 23:03 smlambert