Knighthana
文章96
标签139
分类7

文章归档

(KM)向trusted.gpg.d中加入密钥是不安全的

(KM)向trusted.gpg.d中加入密钥是不安全的

向/etc/apt/trusted.gpg.d中加入密钥是不安全的

Adding a key to /etc/apt/trusted.gpg.d is insecure

Adding a key to /etc/apt/trusted.gpg.d is insecure because it adds the key for all repositories. This is exactly why apt-key had to be deprecated.

The proper solution is explained in that Linux Uprising article and on the Debian Wiki: Store the key in /etc/apt/keyrings/ (or /usr/share/keyrings/ if you're the package maintainer), and then reference the key in the apt source list.

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead


上次因为安装slack的deb包,而在apt时报过类似错误,当时也没怎么当回事(我觉得主要是被apt之前的依赖爆炸搞出心理阴影了)

这两天准备安装docker,官方的教程里面提到要添加一个docker组织的gpg-key,需要在/etc/apt/新建一个keyrings/目录,查看了/etc/apt/目录,看到其中包含trusted.gpg.d/这个目录,从字面意思理解,这是“信任的gpg-key文件目录”,疑惑为什么docker的教程要求另建一个keyrings目录,于是查找了一下trusted.gpg.d到底是做什么用的,然后看到了上面来自stackoverflow的回答

看来随便往trsuted.gpg.d里面放东西是有安全风险的,还是按照标准来比较好

2023/04/11