警告:不推荐使用 apt-key。改为在 trusted.gpg.d 中管理密钥环文件

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead

我在 this guide 之后安装了 elasticsearch,但 elasticsearch 并不是这个问题的真正组成部分。

第一步,我需要添加密钥:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

并收到以下消息:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

安装过程很好,但由于它已被弃用,我正在寻找替代 apt-key 的新用法。 (我安装包没有问题。)从 man apt-key 我看到

apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

...

Binary keyring files intended to be used with any apt version should therefore always be created with gpg --export.

但它没有说 apt-key add 的替代方案。我试过了

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --export

但没用。那么当 apt-key 被移除时 wget 的管道后我使用什么?

在此处找到答案: https://suay.site/?p=526

简而言之:

检索密钥并添加密钥:

curl -s URL | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/NAME.gpg --import

授权用户_apt :

sudo chown _apt /etc/apt/trusted.gpg.d/NAME.gpg

/etc/apt/trusted.gpg.d 添加密钥是 不安全的 因为它为所有存储库添加了密钥。 这正是必须弃用 apt-key 的原因。

简短版

Signal 做的事。 如果要将 https://example.com/EXAMPLE.gpg 处的密钥用于 /etc/apt/sources.list.d/EXAMPLE.list 中列出的存储库,请使用:

wget -O- https://example.com/EXAMPLE.gpg |\
    gpg --dearmor > /usr/share/keyrings/EXAMPLE.gpg

echo "deb [signed-by=/usr/share/keyrings/EXAMPLE.gpg] https://example.com/apt stable main" |\
    sudo tee /etc/apt/sources.list.d/EXAMPLE.list

# Optional (you can find the email address / ID using `apt-key list`)
sudo apt-key del support@example.com

长版

虽然弃用通知建议将密钥添加到 /etc/apt/trusted.gpg.d,但这是一种不安全的解决方案。引用 this article from Linux Uprising:

The reason for this change is that when adding an OpenPGP key that's used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don't have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security).

正确的解决方案在that Linux Uprising article and on the Debian Wiki中有解释:将密钥存储在/usr/share/keyrings/中,然后在apt源列表中引用密钥。

因此,合适的方法如下:

  1. https://example.com/EXAMPLE.gpg 下载密钥并将其存储在 /usr/share/keyrings/EXAMPLE.gpg 中。 Debian wiki 说明您应该解除密钥(即将其从 base64 转换为二进制)以与旧软件兼容。 
    wget -O- https://example.com/EXAMPLE.gpg |\
    gpg --dearmor > /usr/share/keyrings/EXAMPLE.gpg
  2. 将密钥添加到存储库使用的源文件中。 在 /etc/apt/sources.list.d/ 中找到合适的文件并对其进行编辑,使其链接到您刚刚添加的密钥环。 如果该文件不存在,您可以创建一个。 最后,它应该看起来像这样: 
    deb [signed-by=/usr/share/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
  3. apt-key 中删除密钥(如果之前添加过)。 运行 sudo apt-key list 列出所有键,并找到之前添加的键。 使用密钥的电子邮件地址或指纹,运行 sudo apt-key del support@example.com.