0

My company has a debian repository which has new gpg keys. We want to generate new package versions which add these keys to /etc/apt/trusted.gpg.d. The caveat is that we only want to add those in that specific version, meaning that we won't add the keys in subsequent versions. This causes the issue of not being able to just put it in that folder in the debian package, since the keyring will be deleted in the next version.

Our approach is to have that file in a random folder, which we then copy to the correct folder ( /etc/apt/trusted.gpg.d ) in the postinst script. My question is, what random folder should that be? Is it correct to place the keys in the /tmp folder?

I noticed the spotify-client package does a similar thing, it has the keys in /usr/share/spotify/apt-keys and then copies it to /etc/apt/trusted.gpg.d. I'm not sure if this is the correct folder to place it though

Improve this question
1
  • From the point of view of an end user, having global keys imposed by a package is a security problem. But as it's within a company, the "user" would be the company, so that's not a problem. I'm talking about this: wiki.debian.org/DebianRepository/… (see the comment "The reason we point to a file instead of a fingerprint is that the latter forces the user to add the key to the global SecureApt trust anchor in /etc/apt/trusted.gpg.d, which would cause the system to accept signatures [...]") Commented Dec 16, 2020 at 15:42

1 Answer 1

Reset to default
2

Your scenario seems a bit strange to me — you’ll end up with files which aren’t owned by any package, and things will fail if people skip the specific version of the package which ships the keys.

However, I assume you have your reasons for this; to answer your more general question about where to ship a file in a Debian package, you should ship non-architecture-specific files in /usr/share/<yourpackage>, as done in the Spotify package.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.