Hello Probzx,
So we have apt which works fine with gpg keys (as we tested), but does not work with asc keys. Transiently using gpg keys in /etc/apt/trusted.gpg.d/ and then switching back to asc keys did not resolve the issue.
The asc keys should work, but don't, for no apparent reason. I don't know a way to reproduce the problem, which would be required to open a bug.
I suggest that you keep /etc/apt/trusted.gpg linked to /usr/share/keyrings/debian-archive-keyring.gpg. So if for some reason /usr/share/keyrings/debian-archive-keyring.gpg is updated, /etc/apt/trusted.gpg will be kept up to date.
/usr/share/keyrings/debian-archive-keyring.gpg contains all the asc keys:
Code: Select all
$> gpg --show-keys /usr/share/keyrings/debian-archive-keyring.gpg
pub rsa4096 2019-02-05 [SC] [expire : 2027-02-03]
6D33866EDD8FFA41C0143AEDDCC9EFBF77E11517
uid Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>
pub rsa4096 2019-04-14 [SC] [expire : 2027-04-12]
80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE
uid Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expire : 2027-04-12]
pub rsa4096 2019-04-14 [SC] [expire : 2027-04-12]
5E61B217265DA9807A23C5FF4DFAB270CAA96DFA
uid Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expire : 2027-04-12]
pub rsa4096 2021-01-17 [SC] [expire : 2029-01-15]
1F89983E0081FDE018F3CC9673A4F27B8DD47936
uid Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub rsa4096 2021-01-17 [S] [expire : 2029-01-15]
pub rsa4096 2021-01-17 [SC] [expire : 2029-01-15]
AC530D520F2F3269F5E98313A48449044AAD5C5D
uid Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub rsa4096 2021-01-17 [S] [expire : 2029-01-15]
pub rsa4096 2021-02-13 [SC] [expire : 2029-02-11]
A4285295FC7B1A81600062A9605C66F00D6C9793
uid Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
pub ed25519 2023-01-23 [SC] [expire : 2031-01-21]
4D64FEC119C2029067D6E791F8D2585B8783D481
uid Debian Stable Release Key (12/bookworm) <debian-release@lists.debian.org>
pub rsa4096 2023-01-21 [SC] [expire : 2031-01-19]
B8B80B5B623EAB6AD8775C45B7C5D7D6350947F8
uid Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>
sub rsa4096 2023-01-21 [S] [expire : 2031-01-19]
pub rsa4096 2023-01-21 [SC] [expire : 2031-01-19]
05AB90340C0C5E797F44A8C8254CF3B5AEC0A8F0
uid Debian Security Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>
sub rsa4096 2023-01-21 [S] [expire : 2031-01-19]
Code: Select all
$> for KEY in /etc/apt/trusted.gpg.d/*; do echo "$KEY"; gpg --show-keys "$KEY"; done
/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc
pub rsa4096 2023-01-21 [SC] [expire : 2031-01-19]
B8B80B5B623EAB6AD8775C45B7C5D7D6350947F8
uid Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>
sub rsa4096 2023-01-21 [S] [expire : 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.asc
pub rsa4096 2023-01-21 [SC] [expire : 2031-01-19]
05AB90340C0C5E797F44A8C8254CF3B5AEC0A8F0
uid Debian Security Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>
sub rsa4096 2023-01-21 [S] [expire : 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc
pub ed25519 2023-01-23 [SC] [expire : 2031-01-21]
4D64FEC119C2029067D6E791F8D2585B8783D481
uid Debian Stable Release Key (12/bookworm) <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.asc
pub rsa4096 2021-01-17 [SC] [expire : 2029-01-15]
1F89983E0081FDE018F3CC9673A4F27B8DD47936
uid Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub rsa4096 2021-01-17 [S] [expire : 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.asc
pub rsa4096 2021-01-17 [SC] [expire : 2029-01-15]
AC530D520F2F3269F5E98313A48449044AAD5C5D
uid Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub rsa4096 2021-01-17 [S] [expire : 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.asc
pub rsa4096 2021-02-13 [SC] [expire : 2029-02-11]
A4285295FC7B1A81600062A9605C66F00D6C9793
uid Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.asc
pub rsa4096 2019-04-14 [SC] [expire : 2027-04-12]
80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE
uid Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expire : 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.asc
pub rsa4096 2019-04-14 [SC] [expire : 2027-04-12]
5E61B217265DA9807A23C5FF4DFAB270CAA96DFA
uid Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expire : 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.asc
pub rsa4096 2019-02-05 [SC] [expire : 2027-02-03]
6D33866EDD8FFA41C0143AEDDCC9EFBF77E11517
uid Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>
So this is a safe way.
Note that /etc/apt/trusted.gpg is deprecated, which means it may no longer work in the future. I tested in unstable and it still works though.
I simulated a problem with the asc keys:
Code: Select all
#> chmod 700 /etc/apt/trusted.gpg.d/
#> ls -l /etc/apt/trusted.gpg
lrwxrwxrwx 1 root root 46 Feb 28 13:25 /etc/apt/trusted.gpg -> /usr/share/keyrings/debian-archive-keyring.gpg
#> apt update
Get:1 https://deb.debian.org/debian bookworm InRelease [151 kB]
Hit:2 https://deb.debian.org/debian-security bookworm-security InRelease
Hit:3 https://deb.debian.org/debian bookworm-updates InRelease
Fetched 151 kB in 1s (221 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: https://deb.debian.org/debian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://deb.debian.org/debian-security/dists/bookworm-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://deb.debian.org/debian/dists/bookworm-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
and then without problem:
Code: Select all
#> chmod 755 /etc/apt/trusted.gpg.d/
#> #> ls -l /etc/apt/trusted.gpg
lrwxrwxrwx 1 root root 46 Feb 28 13:25 /etc/apt/trusted.gpg -> /usr/share/keyrings/debian-archive-keyring.gpg
#> apt update
Get:1 https://deb.debian.org/debian bookworm InRelease [151 kB]
Hit:2 https://deb.debian.org/debian-security bookworm-security InRelease
Hit:3 https://deb.debian.org/debian bookworm-updates InRelease
Fetched 151 kB in 1s (246 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
When keys in /etc/apt/trusted.gpg.d/ are used, there is no longer a warning message. So if you notice that the messages have disappeared, you can test removing the /etc/apt/trusted.gpg symlink and it should work normally. If this happens, please post any events that might explain the change, such as which packages were updated just before or what configuration change was applied. Thanks.