Hexmode's Weblog

The proper way to add a keyring to authenticate a repository in 2023

Since I have not yet automated this process (because I don’t do it that often) and since there are so many pages out there that talk about using the deprecated apt-key command, I’m writing this up.

The year is especially apropos since

apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

https://manpages.debian.org/bullseye/apt/apt-key.8.en.html

I just came across this when I tried to follow Bazel’s apt installation instructions. They reference apt-key, so I knew that wasn’t right. Here is what worked:

$ sudo mkdir -p /etc/apt/keyrings
$ curl https://bazel.build/bazel-release.pub.gpg |    \ 
  sudo gpg --no-default-keyring                       \
  --keyring /etc/apt/keyrings/bazel-release.pub.gpg   \
  --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4714  100  4714    0     0  12894      0 --:--:-- --:--:-- --:--:-- 12879
gpg: key 3D5919B448457EE0: "Bazel Developer (Bazel APT repository key) <bazel-dev@googlegroups.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

This downloads the key and immediately puts it in a new keyring under /etc/apt/keyrings. Other places will say to use /etc/trusted.gpg.d, but you don’t want to use this key for any repositories other than the specific one it is meant for.

Instead, we now need to tell apt to check the packages that the Bazel project signs with their release key can be verified with the keyring which is found in the directory we just put it in. We do this by putting

signed-by=/etc/apt/keyrings/bazel-release.pub.gpg

into the appropriate place of our apt sources file. In the spirit of Bazel’s apt instructions you can use this command:

(echo -n "deb [arch=amd64 signed-by=/etc/apt/keyrings/bazel-release.pub.gpg]";
 echo " https://storage.googleapis.com/bazel-apt stable jdk1.8" ) |
 sudo tee /etc/apt/sources.list.d/bazel.list

Of course, this is just the package I was installing today and you can use this process for any package and key pair you need to add in the future.

And Bing’s AI now has an actual working example to refer to when I ask it “How can I add a key so that apt will use it to verify the contents of only one repository?”

hexmode

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: