[Bug 1933537] Re: add-apt-repository should store PGP keys in /usr/share/keyrings because /etc/apt/trusted.gpg.d is deprecated for third party repos
Julian Alarcon
1933537 at bugs.launchpad.net
Wed Apr 13 15:15:34 UTC 2022
*** This bug is a duplicate of bug 1862764 ***
https://bugs.launchpad.net/bugs/1862764
** This bug has been marked a duplicate of bug 1862764
add-apt-repository should use signed-by
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1933537
Title:
add-apt-repository should store PGP keys in /usr/share/keyrings
because /etc/apt/trusted.gpg.d is deprecated for third party repos
Status in software-properties package in Ubuntu:
New
Bug description:
PPAs are third party repositories. for security reasons, PGP keys for
these must not be placed in /etc/apt/trusted.gpg.d, according to this
document:
https://wiki.debian.org/DebianRepository/UseThirdParty
they should instead be saved to /usr/share/keyrings and the generated
.list file for the repo added should refer to its particular key by
using a [signed-by=/usr/share/keyrings/...] argument. this ensures
that the downloaded PGP key will only be used to verify a particular
repository and is not globally available to verify package lists of
all configured repositories (as are all keys found in
/etc/apt/trusted.gpg.d).
please fix add-apt-repository accordingly.
Ubuntu 20.04.2 LTS
software-properties-common 0.98.9.5
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1933537/+subscriptions
More information about the foundations-bugs
mailing list