Use `signed-by=` in `sources.list` files

[DemiMarie]

How to file a helpful issue

The problem you're addressing (if any)

The Qubes OS keys currently need to be included in the APT keyring via /etc/apt/trusted.d. That keyring applies to all packages, though, not just Qubes packages. Debian’s wiki recommends using signed-by= instead.

The solution you'd like

Use signed-by= with a dedicated keyring.

The value to a user, and who that user might be

Qubes OS will be compliant with Debian recommendations.

[adrelanos]

This is what Whonix uses:

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free

See files names:

ls -la /usr/share/keyrings/

[adrelanos]

Quote @marmarek QubesOS/qubes-core-agent-linux#371 (comment)

Generally I like this change, but I worry about upgrade: if user modified the sources.list file (for example to enable testing updates), the new version will be saved in .dpkg-new, right? In that case, old file will be used, but the key in the old location will be gone. This will break installing any further updates.

Any ideas? Keep old keyring location (too) for the time being?

[adrelanos]

This issue might happen. It's conceivable.

Generally I like this change, but I worry about upgrade: if user modified the sources.list file (for example to enable testing updates), the new version will be saved in .dpkg-new, right?

Yes.

[marmarek]

Upgrade tool (#7832) will handle that.

[unman]

There's confusion here, i think. If users have set keys with apt-key they wont magically disappear. Those old defs will still work, warnings and all. There was talk of apt-key ending with bullseye, but it's still in bookworm packages, (and sid). When that mechanism is dropped then Debian will likely provide a transitional tool. Unless I'm missing something.