[Bug 52439] New: apt-key is deprecated (bookworm/Debian)
https://bugs.winehq.org/show_bug.cgi?id=52439 Bug ID: 52439 Summary: apt-key is deprecated (bookworm/Debian) Product: WineHQ.org Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: www-unknown Assignee: wine-bugs(a)winehq.org Reporter: osamu(a)debian.org Distribution: --- apt-key(8) will last be available in Debian 11 and Ubuntu 22.04. For Debian/bookworm (12) (and probably for Ubuntu 22.10), apt-key usage as described. This affects following pages: * https://wiki.winehq.org/Debian * https://wiki.winehq.org/Ubuntu Specifically: ``` wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo apt-key add winehq.key ``` The above should be changed to: * For Debian up to Buster(11): ``` wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo apt-key add winehq.key ``` * For Debian from Bookworm (12): ``` wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo cp winehq.key /etc/apt/trusted.gpg.d/winehq.gpg ``` I only tested this for Debian .... Osamu -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #1 from OsamuAoki <osamu(a)debian.org> --- I submitted with couple typos... Important correction is: * For Debian up to Buster(11): This should have been * For Debian up to Bullseye(11): -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 Osamu Aoki <osamu.aoki(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |osamu.aoki(a)gmail.com --- Comment #2 from Osamu Aoki <osamu.aoki(a)gmail.com> --- Here is the issue of my previous suggestion and updated fix method. What I suggested caused following ``` ... Reading package lists... Done W: http://cdn-fastly.deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/winehq.gpg are ignored as the file has an unsupported filetype. W: https://dl.winehq.org/wine-builds/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/winehq.gpg are ignored as the file has an unsupported filetype. W: https://dl.google.com/linux/chrome/deb/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/winehq.gpg are ignored as the file has an unsupported filetype. ``` As I see, winehq key is ascii armored wile others are not. OK, so here is the correct updated steps for Debian Bookworm/12 (and possibly future Ubuntu) ``` $ wget -nc https://dl.winehq.org/wine-builds/winehq.key $ gpg --dearmor winehq.key $ sudo mv winehq.key.gpg /etc/apt/trusted.gpg.d/winehq.key.gpg ``` Cheers! -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 jkfloris(a)dds.nl changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jkfloris(a)dds.nl --- Comment #3 from jkfloris(a)dds.nl --- According to the Debian Wiki [1] the key should be placed in /usr/share/keyrings/ with the name winehq-archive-keyring.gpg This also requires the sources.list(.d/winehq.list) file to be changed to: deb [signed-by=/usr/share/keyrings/winehq-archive-keyring.gpg] ... Or create a DEB822 format winehq.sources file in /etc/apt/sources.list.d/ ''' Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: /usr/share/keyrings/winehq-archive-keyring.gpg ''' The question is how these steps can be done in a simple, fail-safe, easy and foolproof way. [1] https://wiki.debian.org/DebianRepository/UseThirdParty -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 Sveinar Søpler <cybermax(a)dexter.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cybermax(a)dexter.no --- Comment #4 from Sveinar Søpler <cybermax(a)dexter.no> --- (In reply to jkfloris from comment #3)
According to the Debian Wiki [1] the key should be placed in /usr/share/keyrings/ with the name winehq-archive-keyring.gpg
This also requires the sources.list(.d/winehq.list) file to be changed to: deb [signed-by=/usr/share/keyrings/winehq-archive-keyring.gpg] ...
Or create a DEB822 format winehq.sources file in /etc/apt/sources.list.d/ ''' Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: /usr/share/keyrings/winehq-archive-keyring.gpg '''
The question is how these steps can be done in a simple, fail-safe, easy and foolproof way.
I think it would be well worth looking into providing a DEB822 format file for each distro that can be downloaded and put into /etc/apt/sources.list.d/ instead of adding it to the system sources.list file. I think it is possible to actually add the PGP key to the .sources file when using DEB822 format like this: Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: -----BEGIN PGP PUBLIC KEY BLOCK----- XXXXX -----END PGP PUBLIC KEY BLOCK----- So it will possibly only be: wget -nc https://dl.winehq.org/wine-builds/winehq-bookworm.sources sudo mv winehq-bookworm.sources /etc/apt/sources.list.d/ Needs some testing tho.. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #5 from jkfloris(a)dds.nl --- Created attachment 72132 --> https://bugs.winehq.org/attachment.cgi?id=72132 deb822 sources file You are right, the attached .sources file works. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #6 from Osamu Aoki <osamu.aoki(a)gmail.com> --- Hi, I didn't realize this DEB822. Thanks. I need to update debian-reference package/web pages.
apt (2.3.10) unstable; urgency=medium
[ Julian Andres Klode ] * basehttp: Turn HaveContent into a TriState * Set haveContent to FALSE on `Content-Length: 0` (Closes: #990281) * Add support for embedding PGP keys into Signed-By in deb822 sources
...
-- Julian Andres Klode <jak(a)debian.org> Mon, 18 Oct 2021 16:35:21 +0200
Use of deb822 s may be a very good approach only after Debian/12 Bookworm release expected in late-2023 for the user of Debian stable platform. Considering Debian supports stable, oldstable, ... , we may need to wait at least late-2025 to move to use this deb822 for all use cases. As updated by a Debian developer on 2021-11-18 : https://wiki.debian.org/DebianRepository/UseThirdParty?action=diff&rev2=46&r... we should avoid ASCII-armored files at this moment for some Debian platforms. So updated suggestion should be: For users of Debian 12/Bookworm testing distribution, deb822 approach works but not for users of Debian 11/Bullseye stable distribution.. What I suggested which uses non-ASCII-armored file is more robust fall back method but not as secure. ...
Or create a DEB822 format winehq.sources file in /etc/apt/sources.list.d/ ''' Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: /usr/share/keyrings/winehq-archive-keyring.gpg '''
The question is how these steps can be done in a simple, fail-safe, easy and foolproof way.
This is a wiki page both you and I can update. At least, it is not written by apt upstream as a restrictive rule. So treat this as a nice reference but don't consider it as a Debian policy.
I think it would be well worth looking into providing a DEB822 format file for each distro that can be downloaded and put into /etc/apt/sources.list.d/ instead of adding it to the system sources.list file. ...
Looks like it works. So please update document page by clearly specifying target audience by being specific distribution. Osamu -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #7 from Sveinar Søpler <cybermax(a)dexter.no> --- (In reply to Osamu Aoki from comment #6)
Use of deb822 s may be a very good approach only after Debian/12 Bookworm release expected in late-2023 for the user of Debian stable platform. Considering Debian supports stable, oldstable, ... , we may need to wait at least late-2025 to move to use this deb822 for all use cases.
Since WineHQ already provides packages for Debian Bookworm, why does it have to be a "lets way until everyone is using XX distro some time next sentury"? Can't it be a slight difference on the WineHQ wiki page on how you add WineHQ package repo for Bookworm vs. others (Should be doable to use this for Ubuntu 22.04 releasing this month too, as i think this would work with apt>=2.4). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #8 from Osamu Aoki <osamu.aoki(a)gmail.com> --- Hi, Sveinar, We are talking about cryptographic key mechanism which is used by the software package management tool APT during the normal package update. Without having public key installed in advance, the package installation of packages from wine-hq signed repo will be rejected by APT. For Distribution itself, installer can by-pass this restriction for the public key file package during the initial installation. Distribution's key file package can be updated as long as it is signed by a installed key. So something similar can be used to update the key file if wine-hq changes its public and secret key pair. Cheers, Osamu -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #9 from jkfloris(a)dds.nl --- I think it is most convenient for the end user to have one manual that works everywhere. The following approach works on Debian Buster, Bullseye and Bookworm and I expect that it should not cause any problems on Ubuntu either. Download and install the key: wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo mv winehq.key /usr/share/keyrings/winehq-archive.key Download and install the sources file for your distro, for example bookworm wget -nc https://dl.winehq.org/wine-builds/winehq-bookworm.sources sudo mv winehq-bookworm.sources /etc/apt/sources.list.d/ Where winehq-bookworm.sources contains the following: --- Types: deb URIs: https://dl.winehq.org/wine-builds/debian Suites: bookworm Components: main Architectures: amd64 i386 Signed-By: /usr/share/keyrings/winehq-archive.key --- Unfortunately, as far as I know, no variables can be used in a sources file, otherwise one file for all Debian/ Ubuntu versions would have been possible. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #10 from Sveinar Søpler <cybermax(a)dexter.no> --- (In reply to Osamu Aoki from comment #8)
Hi,
Sveinar, We are talking about cryptographic key mechanism which is used by the software package management tool APT during the normal package update. Without having public key installed in advance, the package installation of packages from wine-hq signed repo will be rejected by APT.
For Distribution itself, installer can by-pass this restriction for the public key file package during the initial installation.
Distribution's key file package can be updated as long as it is signed by a installed key. So something similar can be used to update the key file if wine-hq changes its public and secret key pair.
Cheers,
Osamu
Not really sure why you felt this was relevant? (In reply to jkfloris from comment #9)
I think it is most convenient for the end user to have one manual that works everywhere. The following approach works on Debian Buster, Bullseye and Bookworm and I expect that it should not cause any problems on Ubuntu either.
Yeah, worked fine for Ubuntu 20.04 too. Don't have 18.04 installed atm, so can't tell if it would work there. 18.04 uses apt_1.6 vs. Buster uses 1.8. (It should work from apt>=1.1 onwards i think, but maybe needs testing?) --- Types: deb URIs: https://dl.winehq.org/wine-builds/ubuntu Suites: focal Components: main Architectures: amd64 i386 Signed-By: /usr/share/keyrings/winehq-archive.key --- So, only thing needed really is to provide .sources file for the various distro's and a minor update to the install wiki's. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #11 from Osamu Aoki <osamu.aoki(a)gmail.com> --- Hi, Yes. As long as we avoid to use new embedding PGP keys (supported after 2021/Oct.), deb822 format has been supported for all relevant platforms. So updated method proposed by jkfloris(a)dds.nl is the way to go. Osamu -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #12 from jkfloris(a)dds.nl --- Maybe a stupid question, but I have created the sources files for Ubuntu (Bionic, Focal, Impish and Jammy) and Debian (Buster, Bullseye and Bookworm) but how do I get them on dl.winehq.org? When the files are uploaded, I would like to edit the WineHQ wiki pages. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 Rosanne DiMesio <dimesio(a)earthlink.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |shtetldik(a)gmail.com --- Comment #13 from Rosanne DiMesio <dimesio(a)earthlink.net> --- *** Bug 52598 has been marked as a duplicate of this bug. *** -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #14 from Rosanne DiMesio <dimesio(a)earthlink.net> --- (In reply to jkfloris from comment #12)
When the files are uploaded, I would like to edit the WineHQ wiki pages.
The files are now there, so you can go ahead and edit the wiki. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #15 from jkfloris(a)dds.nl --- The WineHQ wiki has been updated. Feel free to better phrase the removal of the old key and the repository. Could someone ping 'Jactry' to update the Chinese translations as well? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #16 from Jactry Zeng <jactry92(a)gmail.com> --- (In reply to jkfloris from comment #15)
The WineHQ wiki has been updated. Feel free to better phrase the removal of the old key and the repository.
Could someone ping 'Jactry' to update the Chinese translations as well?
Sure, I will take care of the Simplified Chinese translation. Thanks for the heads up! -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 --- Comment #17 from Jactry Zeng <jactry92(a)gmail.com> --- Hi, (In reply to Jactry Zeng from comment #16)
(In reply to jkfloris from comment #15)
The WineHQ wiki has been updated. Feel free to better phrase the removal of the old key and the repository.
Could someone ping 'Jactry' to update the Chinese translations as well?
Sure, I will take care of the Simplified Chinese translation. Thanks for the heads up!
Sorry, I forget to update here after I updated the Simplified Chinese translations. Should we close this bug now? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 Rosanne DiMesio <dimesio(a)earthlink.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #18 from Rosanne DiMesio <dimesio(a)earthlink.net> --- Closing fixed. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52439 Ken Sharp <imwellcushtymelike(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #19 from Ken Sharp <imwellcushtymelike(a)gmail.com> --- Closing -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla