https://bugs.winehq.org/show_bug.cgi?id=52439
Bug ID: 52439 Summary: apt-key is deprecated (bookworm/Debian) Product: WineHQ.org Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: www-unknown Assignee: wine-bugs@winehq.org Reporter: osamu@debian.org Distribution: ---
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
For Debian/bookworm (12) (and probably for Ubuntu 22.10), apt-key usage as described.
This affects following pages:
* https://wiki.winehq.org/Debian * https://wiki.winehq.org/Ubuntu
Specifically: ``` wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo apt-key add winehq.key ```
The above should be changed to:
* For Debian up to Buster(11): ``` wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo apt-key add winehq.key ```
* For Debian from Bookworm (12): ``` wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo cp winehq.key /etc/apt/trusted.gpg.d/winehq.gpg ```
I only tested this for Debian ....
Osamu
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #1 from OsamuAoki osamu@debian.org --- I submitted with couple typos...
Important correction is:
* For Debian up to Buster(11):
This should have been
* For Debian up to Bullseye(11):
https://bugs.winehq.org/show_bug.cgi?id=52439
Osamu Aoki osamu.aoki@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |osamu.aoki@gmail.com
--- Comment #2 from Osamu Aoki osamu.aoki@gmail.com --- Here is the issue of my previous suggestion and updated fix method.
What I suggested caused following ``` ... Reading package lists... Done W: http://cdn-fastly.deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/winehq.gpg are ignored as the file has an unsupported filetype. W: https://dl.winehq.org/wine-builds/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/winehq.gpg are ignored as the file has an unsupported filetype. W: https://dl.google.com/linux/chrome/deb/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/winehq.gpg are ignored as the file has an unsupported filetype. ```
As I see, winehq key is ascii armored wile others are not.
OK, so here is the correct updated steps for Debian Bookworm/12 (and possibly future Ubuntu)
``` $ wget -nc https://dl.winehq.org/wine-builds/winehq.key $ gpg --dearmor winehq.key $ sudo mv winehq.key.gpg /etc/apt/trusted.gpg.d/winehq.key.gpg ```
Cheers!
https://bugs.winehq.org/show_bug.cgi?id=52439
jkfloris@dds.nl changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jkfloris@dds.nl
--- Comment #3 from jkfloris@dds.nl --- According to the Debian Wiki [1] the key should be placed in /usr/share/keyrings/ with the name winehq-archive-keyring.gpg
This also requires the sources.list(.d/winehq.list) file to be changed to: deb [signed-by=/usr/share/keyrings/winehq-archive-keyring.gpg] ...
Or create a DEB822 format winehq.sources file in /etc/apt/sources.list.d/ ''' Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: /usr/share/keyrings/winehq-archive-keyring.gpg '''
The question is how these steps can be done in a simple, fail-safe, easy and foolproof way.
[1] https://wiki.debian.org/DebianRepository/UseThirdParty
https://bugs.winehq.org/show_bug.cgi?id=52439
Sveinar Søpler cybermax@dexter.no changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cybermax@dexter.no
--- Comment #4 from Sveinar Søpler cybermax@dexter.no --- (In reply to jkfloris from comment #3)
According to the Debian Wiki [1] the key should be placed in /usr/share/keyrings/ with the name winehq-archive-keyring.gpg
This also requires the sources.list(.d/winehq.list) file to be changed to: deb [signed-by=/usr/share/keyrings/winehq-archive-keyring.gpg] ...
Or create a DEB822 format winehq.sources file in /etc/apt/sources.list.d/ ''' Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: /usr/share/keyrings/winehq-archive-keyring.gpg '''
The question is how these steps can be done in a simple, fail-safe, easy and foolproof way.
I think it would be well worth looking into providing a DEB822 format file for each distro that can be downloaded and put into /etc/apt/sources.list.d/ instead of adding it to the system sources.list file.
I think it is possible to actually add the PGP key to the .sources file when using DEB822 format like this:
Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: -----BEGIN PGP PUBLIC KEY BLOCK-----
XXXXX -----END PGP PUBLIC KEY BLOCK-----
So it will possibly only be: wget -nc https://dl.winehq.org/wine-builds/winehq-bookworm.sources sudo mv winehq-bookworm.sources /etc/apt/sources.list.d/
Needs some testing tho..
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #5 from jkfloris@dds.nl --- Created attachment 72132 --> https://bugs.winehq.org/attachment.cgi?id=72132 deb822 sources file
You are right, the attached .sources file works.
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #6 from Osamu Aoki osamu.aoki@gmail.com --- Hi,
I didn't realize this DEB822. Thanks. I need to update debian-reference package/web pages.
apt (2.3.10) unstable; urgency=medium
[ Julian Andres Klode ]
- basehttp: Turn HaveContent into a TriState
- Set haveContent to FALSE on `Content-Length: 0` (Closes: #990281)
- Add support for embedding PGP keys into Signed-By in deb822 sources
...
-- Julian Andres Klode jak@debian.org Mon, 18 Oct 2021 16:35:21 +0200
Use of deb822 s may be a very good approach only after Debian/12 Bookworm release expected in late-2023 for the user of Debian stable platform. Considering Debian supports stable, oldstable, ... , we may need to wait at least late-2025 to move to use this deb822 for all use cases.
As updated by a Debian developer on 2021-11-18 :
https://wiki.debian.org/DebianRepository/UseThirdParty?action=diff&rev2=...
we should avoid ASCII-armored files at this moment for some Debian platforms.
So updated suggestion should be:
For users of Debian 12/Bookworm testing distribution, deb822 approach works but not for users of Debian 11/Bullseye stable distribution..
What I suggested which uses non-ASCII-armored file is more robust fall back method but not as secure.
...
Or create a DEB822 format winehq.sources file in /etc/apt/sources.list.d/ ''' Types: deb URIs: https://dl.winehq.org/wine-builds/debian/ Suites: bookworm Components: main Signed-By: /usr/share/keyrings/winehq-archive-keyring.gpg '''
The question is how these steps can be done in a simple, fail-safe, easy and foolproof way.
This is a wiki page both you and I can update. At least, it is not written by apt upstream as a restrictive rule. So treat this as a nice reference but don't consider it as a Debian policy.
I think it would be well worth looking into providing a DEB822 format file for each distro that can be downloaded and put into /etc/apt/sources.list.d/ instead of adding it to the system sources.list file. ...
Looks like it works. So please update document page by clearly specifying target audience by being specific distribution.
Osamu
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #7 from Sveinar Søpler cybermax@dexter.no --- (In reply to Osamu Aoki from comment #6)
Use of deb822 s may be a very good approach only after Debian/12 Bookworm release expected in late-2023 for the user of Debian stable platform. Considering Debian supports stable, oldstable, ... , we may need to wait at least late-2025 to move to use this deb822 for all use cases.
Since WineHQ already provides packages for Debian Bookworm, why does it have to be a "lets way until everyone is using XX distro some time next sentury"?
Can't it be a slight difference on the WineHQ wiki page on how you add WineHQ package repo for Bookworm vs. others (Should be doable to use this for Ubuntu 22.04 releasing this month too, as i think this would work with apt>=2.4).
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #8 from Osamu Aoki osamu.aoki@gmail.com --- Hi,
Sveinar, We are talking about cryptographic key mechanism which is used by the software package management tool APT during the normal package update. Without having public key installed in advance, the package installation of packages from wine-hq signed repo will be rejected by APT.
For Distribution itself, installer can by-pass this restriction for the public key file package during the initial installation.
Distribution's key file package can be updated as long as it is signed by a installed key. So something similar can be used to update the key file if wine-hq changes its public and secret key pair.
Cheers,
Osamu
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #9 from jkfloris@dds.nl --- I think it is most convenient for the end user to have one manual that works everywhere. The following approach works on Debian Buster, Bullseye and Bookworm and I expect that it should not cause any problems on Ubuntu either.
Download and install the key: wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo mv winehq.key /usr/share/keyrings/winehq-archive.key
Download and install the sources file for your distro, for example bookworm wget -nc https://dl.winehq.org/wine-builds/winehq-bookworm.sources sudo mv winehq-bookworm.sources /etc/apt/sources.list.d/
Where winehq-bookworm.sources contains the following: ---
Types: deb URIs: https://dl.winehq.org/wine-builds/debian Suites: bookworm Components: main Architectures: amd64 i386 Signed-By: /usr/share/keyrings/winehq-archive.key
--- Unfortunately, as far as I know, no variables can be used in a sources file, otherwise one file for all Debian/ Ubuntu versions would have been possible.
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #10 from Sveinar Søpler cybermax@dexter.no --- (In reply to Osamu Aoki from comment #8)
Hi,
Sveinar, We are talking about cryptographic key mechanism which is used by the software package management tool APT during the normal package update. Without having public key installed in advance, the package installation of packages from wine-hq signed repo will be rejected by APT.
For Distribution itself, installer can by-pass this restriction for the public key file package during the initial installation.
Distribution's key file package can be updated as long as it is signed by a installed key. So something similar can be used to update the key file if wine-hq changes its public and secret key pair.
Cheers,
Osamu
Not really sure why you felt this was relevant?
(In reply to jkfloris from comment #9)
I think it is most convenient for the end user to have one manual that works everywhere. The following approach works on Debian Buster, Bullseye and Bookworm and I expect that it should not cause any problems on Ubuntu either.
Yeah, worked fine for Ubuntu 20.04 too. Don't have 18.04 installed atm, so can't tell if it would work there. 18.04 uses apt_1.6 vs. Buster uses 1.8. (It should work from apt>=1.1 onwards i think, but maybe needs testing?)
--- Types: deb URIs: https://dl.winehq.org/wine-builds/ubuntu Suites: focal Components: main Architectures: amd64 i386 Signed-By: /usr/share/keyrings/winehq-archive.key ---
So, only thing needed really is to provide .sources file for the various distro's and a minor update to the install wiki's.
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #11 from Osamu Aoki osamu.aoki@gmail.com --- Hi,
Yes. As long as we avoid to use new embedding PGP keys (supported after 2021/Oct.), deb822 format has been supported for all relevant platforms.
So updated method proposed by jkfloris@dds.nl is the way to go.
Osamu
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #12 from jkfloris@dds.nl --- Maybe a stupid question, but I have created the sources files for Ubuntu (Bionic, Focal, Impish and Jammy) and Debian (Buster, Bullseye and Bookworm) but how do I get them on dl.winehq.org?
When the files are uploaded, I would like to edit the WineHQ wiki pages.
https://bugs.winehq.org/show_bug.cgi?id=52439
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |shtetldik@gmail.com
--- Comment #13 from Rosanne DiMesio dimesio@earthlink.net --- *** Bug 52598 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #14 from Rosanne DiMesio dimesio@earthlink.net --- (In reply to jkfloris from comment #12)
When the files are uploaded, I would like to edit the WineHQ wiki pages.
The files are now there, so you can go ahead and edit the wiki.
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #15 from jkfloris@dds.nl --- The WineHQ wiki has been updated. Feel free to better phrase the removal of the old key and the repository.
Could someone ping 'Jactry' to update the Chinese translations as well?
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #16 from Jactry Zeng jactry92@gmail.com --- (In reply to jkfloris from comment #15)
The WineHQ wiki has been updated. Feel free to better phrase the removal of the old key and the repository.
Could someone ping 'Jactry' to update the Chinese translations as well?
Sure, I will take care of the Simplified Chinese translation. Thanks for the heads up!
https://bugs.winehq.org/show_bug.cgi?id=52439
--- Comment #17 from Jactry Zeng jactry92@gmail.com --- Hi,
(In reply to Jactry Zeng from comment #16)
(In reply to jkfloris from comment #15)
The WineHQ wiki has been updated. Feel free to better phrase the removal of the old key and the repository.
Could someone ping 'Jactry' to update the Chinese translations as well?
Sure, I will take care of the Simplified Chinese translation. Thanks for the heads up!
Sorry, I forget to update here after I updated the Simplified Chinese translations.
Should we close this bug now?
https://bugs.winehq.org/show_bug.cgi?id=52439
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #18 from Rosanne DiMesio dimesio@earthlink.net --- Closing fixed.
https://bugs.winehq.org/show_bug.cgi?id=52439
Ken Sharp imwellcushtymelike@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #19 from Ken Sharp imwellcushtymelike@gmail.com --- Closing