From 373e78895ec013364e0cb45fa25fe61ac6711eab Mon Sep 17 00:00:00 2001 From: Giteabot Date: Fri, 29 Dec 2023 13:44:47 +0800 Subject: [PATCH] switch destination directory for apt signing keys (#28639) (#28642) Backport #28639 by @denyskon According to [Debian docs](https://wiki.debian.org/DebianRepository/UseThirdParty): > The certificate MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. > ... > If future updates to the certificate will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead. > ... > A sources.list entry SHOULD have the signed-by option set. Co-authored-by: Denys Konovalov --- docs/content/usage/packages/debian.en-us.md | 6 +++--- docs/content/usage/packages/debian.zh-cn.md | 6 +++--- templates/package/content/debian.tmpl | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/content/usage/packages/debian.en-us.md b/docs/content/usage/packages/debian.en-us.md index 6bd7475dd64..127dcb27f8f 100644 --- a/docs/content/usage/packages/debian.en-us.md +++ b/docs/content/usage/packages/debian.en-us.md @@ -27,7 +27,7 @@ The following examples use `apt`. To register the Debian registry add the url to the list of known apt sources: ```shell -echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list +echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list ``` | Placeholder | Description | @@ -39,13 +39,13 @@ echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} { If the registry is private, provide credentials in the url. You can use a password or a [personal access token](development/api-usage.md#authentication): ```shell -echo "deb https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list +echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list ``` The Debian registry files are signed with a PGP key which must be known to apt: ```shell -sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/trusted.gpg.d/gitea-{owner}.asc +sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/keyrings/gitea-{owner}.asc ``` Afterwards update the local package index: diff --git a/docs/content/usage/packages/debian.zh-cn.md b/docs/content/usage/packages/debian.zh-cn.md index 417b79f703d..181130c5023 100644 --- a/docs/content/usage/packages/debian.zh-cn.md +++ b/docs/content/usage/packages/debian.zh-cn.md @@ -27,7 +27,7 @@ menu: 要注册 Debian 注册表,请将 URL 添加到已知 `apt` 源列表中: ```shell -echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list +echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list ``` | 占位符 | 描述 | @@ -39,13 +39,13 @@ echo "deb https://gitea.example.com/api/packages/{owner}/debian {distribution} { 如果注册表是私有的,请在 URL 中提供凭据。您可以使用密码或[个人访问令牌](development/api-usage.md#通过-api-认证): ```shell -echo "deb https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list +echo "deb [signed-by=/etc/apt/keyrings/gitea-{owner}.asc] https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/debian {distribution} {component}" | sudo tee -a /etc/apt/sources.list.d/gitea.list ``` Debian 注册表文件使用 PGP 密钥进行签名,`apt` 必须知道该密钥: ```shell -sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/trusted.gpg.d/gitea-{owner}.asc +sudo curl https://gitea.example.com/api/packages/{owner}/debian/repository.key -o /etc/apt/keyrings/gitea-{owner}.asc ``` 然后更新本地软件包索引: diff --git a/templates/package/content/debian.tmpl b/templates/package/content/debian.tmpl index 242ee1fba41..1fde87f329e 100644 --- a/templates/package/content/debian.tmpl +++ b/templates/package/content/debian.tmpl @@ -4,8 +4,8 @@
-
sudo curl  -o /etc/apt/trusted.gpg.d/gitea-{{$.PackageDescriptor.Owner.Name}}.asc
-echo "deb  $distribution $component" | sudo tee -a /etc/apt/sources.list.d/gitea.list
+				
sudo curl  -o /etc/apt/keyrings/gitea-{{$.PackageDescriptor.Owner.Name}}.asc
+echo "deb [signed-by=/etc/apt/keyrings/gitea-{{$.PackageDescriptor.Owner.Name}}.asc]  $distribution $component" | sudo tee -a /etc/apt/sources.list.d/gitea.list
 sudo apt update

{{ctx.Locale.Tr "packages.debian.registry.info" | Safe}}