Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use modern APT keyrings on Debian family #43

Merged
merged 1 commit into from
Feb 13, 2024
Merged

Use modern APT keyrings on Debian family #43

merged 1 commit into from
Feb 13, 2024

Conversation

smortex
Copy link
Collaborator

@smortex smortex commented Jan 8, 2024

This makes use of puppetlabs/puppetlabs-apt#1128 to store the public key
in /etc/apt/keyrings and add a signed-by option to the
sources.list.d entry.

@smortex
Copy link
Collaborator Author

smortex commented Jan 8, 2024

This prevent this deprecation warning on Debian 12 (for which AIO packages are still not available so not part of the CI test matrix for now, but this is another problem):

W: https://ose-repo.syslog-ng.com/apt/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

@smortex smortex force-pushed the modern-apt-keyring branch 3 times, most recently from 7b96981 to 8efdaaa Compare January 11, 2024 20:23
faxm0dem
faxm0dem approved these changes Jan 18, 2024
View reviewed changes
Copy link
Member

@faxm0dem faxm0dem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM !

@smortex
Copy link
Collaborator Author

smortex commented Jan 20, 2024

Relevant discussion:
puppetlabs/puppetlabs-postgresql#1563 (review)

Embedding the key in the module is a bit "meh", but in case of compromission of the repo, fetching a rogue key and installing rogue packages is not as straightforward…

@smortex smortex force-pushed the modern-apt-keyring branch 2 times, most recently from 8917cce to 44ca7ac Compare February 13, 2024 00:49
@smortex
Use modern APT keyrings on Debian family
319c89e 
This makes use of puppetlabs/puppetlabs-apt#1128 to store the public key
in `/etc/apt/keyrings` and add a `signed-by` option to the
`sources.list.d` entry.
@smortex
Copy link
Collaborator Author

smortex commented Feb 13, 2024

I reworked the PR to include a copy of the key in the module. Feels better IMHO.

faxm0dem
faxm0dem approved these changes Feb 13, 2024
View reviewed changes
Copy link
Member

@faxm0dem faxm0dem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@smortex smortex merged commit 0a95456 into master Feb 13, 2024
20 checks passed
@smortex smortex deleted the modern-apt-keyring branch February 13, 2024 17:21
@smortex smortex added the bug label Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@faxm0dem faxm0dem faxm0dem approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smortex @faxm0dem