Support for storing apt keys in separate files

[dhs-rec]

Use Case

The apt-key command has been deprecated in Debian testing aka bookworm in favor of storing key files directly into either /etc/apt/trusted.gpg.d/ or /etc/apt/keyrings/ and (in case of the latter) refer to them directly in individual sources.list entries (like [ signed-by=/path/to/file.gpg ].

This also already works in Debian stable aka bullseye (and maybe oldstable/buster) and corresponding Ubuntu versions. So it would be nice to have this in place already before bookworm is released, esp. so as apt-get update will emit warnings for all keys still stored in the /etc/apt/trusted.gpg file.

Describe the Solution You Would Like

apt::key should have options to store keys downloaded as .gpg or .asc files in one of the directories above.

Describe Alternatives You've Considered

Only alternative I see currently is to use a file resource instead of apt::key.

Additional Context

https://manpages.debian.org/testing/apt/apt-key.8.en.html

[kenyon]

This is https://tickets.puppetlabs.com/browse/MODULES-9695.

[github-actions]

Hello! 👋

This issue has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which issues need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the issue with a comment.

[dhs-rec]

Yeah, the bot is right: Ubuntu 22.04 has already transitioned to the new style, so this should really get some attention.

A bit more information can be found here: https://wiki.debian.org/DebianRepository/UseThirdParty

[jamesps-ebi]

It looks like this module already supports the [ signed-by=/path/to/file.gpg ] option for apt::source resources. So that aspect is already taken care of.

I guess it's just a case of placing keys under /etc/apt/trusted.gpg.d or /usr/share/keyrings by default.
Since the apt-key is deprecated in all current Debian/Ubuntu distributions, the ability to pull keys from a keyserver should probably be removed completely, which would make this a breaking change for existing deployments.

It might be possible to remove the existing apt_key provider in favour of a simple file resource to create the keyfiles on the managed node.

[dhs-rec]

I guess it's just a case of placing keys under /etc/apt/trusted.gpg.d or /usr/share/keyrings by default.

/etc/apt/keyrings or /usr/share/keyrings, depending on whether the keyring in question is managed by a package later on (see link above).

[heini]

BTW: https://discourse.ubuntu.com/t/spec-apt-deb822-sources-by-default/29333

Supporting deb822 format (like apt::deb822) would make the whole thing quite easy. Could be done with a template and two file resources (one for the repository definition file, one for the key).

See sources.list(5) for the details.

[jamesps-ebi]

BTW: https://discourse.ubuntu.com/t/spec-apt-deb822-sources-by-default/29333

Tested on my Ubuntu 22.04.1 LTS box. Looks like this format is already supported and works in combination with the old format, but is not currently the default for Ubuntu.
As far as I can tell, it is also supported in the latest stable release of Debian (bullseye), but again is not the default.

Until both distros switch to deb822 format, there may be some compatibility issues with other programs that interact with apt sources. But it does look like efforts are being to make this format default in the next stable release of both Debian and Ubuntu.

Some more supporting docs for anyone interested in implementing this:

• Overview - https://repolib.readthedocs.io/en/latest/deb822-format.html
• Supplying GPG key within the .sources file - https://groups.google.com/g/linux.debian.devel/c/nWySGILAbe0

[dhs-rec]

It is supported in Debian (and thus Ubuntu) since Stretch. From sources.list (5):

This is a new format supported by apt itself since version 1.1.

[LirionOSS]

#1034 (comment)

[...] Since the apt-key is deprecated in all current Debian/Ubuntu distributions, the ability to pull keys from a keyserver should probably be removed completely, which would make this a breaking change for existing deployments.

It might be possible to remove the existing apt_key provider in favour of a simple file resource to create the keyfiles on the managed node.

Yes, a hard switch from one release to the other may break things. One could opt for continuing to support apt-key while bringing in the new way of providing a file as suggested. Meaning: defining something like "provider" defaulting to "file" and optionally answering to "aptkey". That is, if we continue to use something like apt::key. If you do separate key distribution by files, you can already do this and just ignore apt::key (e.g. apt::source's apt update will ofc work fine if the key file has been placed prior to its execution).

And as to the "deb [ signed-by=/some/file ]" inside sources.list: I'd consider this optional, since in reality it also is: there are default locations for the keys. If keys are placed there, they are being used. apt::key (or whatever) should take this into account, too.