website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

Don't recommend curl -sS | apt-key add -

Open tripleee opened this issue 6 years ago • 7 comments

The current guidance from Debian is to add the key directly to your /etc/apt/trusted.gpg.d/ directory.

I managed to do this (obviously, in a context where I have the privileges to write to this system location):

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/yarn.gpg

It would be nice if the key could be made available in binary format so you don't have to have gpg installed. In fact, the reason the apt-key method is being deprecated is apparently because it depends on gpg and they want to avoid that dependency.

The concrete reason I wanted to change this (even though it works for the time being) is that I get an ugly warning when I run apt-key add - in a Dockerfile:

apt-key output should not be parsed (stdout is not a terminal)

There seems to be a fair number of places where this should be changed. I was planning to submit a simple PR for https://yarnpkg.com/en/docs/install but quick search in your GitHub repo finds many places where apt-key add - is currently used, some of which I would definitely not want to touch before I understand the surrounding code.

tripleee avatar Mar 16 '18 13:03 tripleee

Sorry I missed this... Would you like to submit a pull request to adjust the documentation? I think that'd be fine to change.

The current guidance from Debian

Where is this guidance located?

In fact, the reason the apt-key method is being deprecated is apparently because it depends on gpg and they want to avoid that dependency.

How do you check GPG signatures without having GPG installed thougth?

Daniel15 avatar Jan 20 '19 06:01 Daniel15

It's long enough since I submitted this that I'd have to dig up some background to answer your questions. I'm game for creating a PR but I'm afraid I have to caution you about holding your breath...

tripleee avatar Jan 22 '19 14:01 tripleee

Here's one piece of the puzzle: https://stackoverflow.com/questions/48162574/how-to-circumvent-apt-key-output-should-not-be-parsed

tripleee avatar Jan 29 '19 14:01 tripleee

Here's one random bug report with a clear message, though hardly an authoritative source.

apt-key add is a legacy interface that should not be used. It's also not guaranteed to work on a system, since it requires gpg.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887706

tripleee avatar Jan 29 '19 14:01 tripleee

https://bugs.debian.org/851774 seems to be the master bug for the apt-key depreciation, though it doesn't discuss how you are supposed to do validation of keys now. My uninformed guess is that they want gpg validation to be optional so that you can validate keys if you want to, but this is no longer a requirement for setting up a minimal Debian system.

tripleee avatar Jan 30 '19 06:01 tripleee

Thanks @tripleee , I've used following in my Dockerfile:

RUN apt-get -qq update && \
    apt-get install -y --no-install-recommends gnupg apt-transport-https ca-certificates && \
    curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/yarn.gpg && \
    echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \
    apt-get -qq update && apt-get install -y --no-install-recommends yarn

And yarn installed OK with Dockerfile based on "node:11-stretch".

sergey-shambir avatar Apr 04 '19 04:04 sergey-shambir