From 1323d48e442a93c81616ec0dd2268427043191be Mon Sep 17 00:00:00 2001 From: =?utf8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 15 Feb 2018 10:49:18 -0500 Subject: [PATCH] move archive keyring out of global trust path The [repository instructions][1] have been changed to avoid writing third-party keyring files to the global trust anchors (in `/etc/apt/trusted-gpg.d`) and instead write those to a more neutral location (`/usr/share/keyrings`, alongside other keyring files). [1]: https://wiki.debian.org/RepositoryInstructions The downside of this change is that the key fingerprint isn't validated directly through this process. But considering that validation of the key is anchored through HTTPS validation in the first place, we do not *really* lose anything by moving that to the `.gpg` file transfer: that file's integrity is still checked through HTTPS. Furthermore, not storing the explicit fingerprint here will make future key rotations easier as they will not require documentation updates. Note that this change will also require a change in the `grml-debian-keyring` package to install the keyring file in the new location. If that package does not install a `.sources` or `.list` file, that move will also break existing configurations, so a NEWS entry might be in order as well. This is related to the [proposed website documentation change][2] [2]: https://github.com/grml/grml.org/pull/21 --- debian/install | 2 +- keyrings/{grml-archive.gpg => grml-archive-keyring.gpg} | Bin 2 files changed, 1 insertion(+), 1 deletion(-) rename keyrings/{grml-archive.gpg => grml-archive-keyring.gpg} (100%) diff --git a/debian/install b/debian/install index cd8ff4d..f803d04 100644 --- a/debian/install +++ b/debian/install @@ -1,2 +1,2 @@ -keyrings/grml-archive.gpg etc/apt/trusted.gpg.d +keyrings/grml-archive-keyring.gpg usr/share/keyrings origins etc/dpkg diff --git a/keyrings/grml-archive.gpg b/keyrings/grml-archive-keyring.gpg similarity index 100% rename from keyrings/grml-archive.gpg rename to keyrings/grml-archive-keyring.gpg -- 2.1.4