What are GPG-Keys for with Repositories? - TUXEDO Computers

  ATTENTION: To use our store you have to activate JavaScript and deactivate script blockers!  
Thank you for your understanding!

What are GPG-Keys for with Repositories?

In general, both internal distribution repositories and third-party repositories are protected with a GPG key. As long as these keys do not fall into the wrong hands, third parties cannot tamper with these repositories.

If an attacker were to hack the server containing the repository and modify content without being in possession of the key, this would be noticed because he would not be able to sign his changes with the original key.

Previous method apt-key obsolete (Example)

Debian and consequently, its derivatives like Ubuntu and TUXEDO OS have long used a tool called apt-key to store these keys in the file system. For about 10 years already, the method has been declared insecure in Debian and will be phased out with Debian 12 in 2023. 

Most third-party repository providers still use apt-key in their instructions for inserting their repositories, such as the  messenger Wire. There you can find the instruction:

wget -q https://wire-app.wire.com/linux/releases.key -O- | sudo apt-key add -

to download and add the key, followed by:

echo "deb arch=amd64 https://wire-app.wire.com/linux/debian stable main" | sudo tee /etc/apt/sources.list.d/wire-desktop.list

to create the corresponding line in the sources list under /etc/apt/sources.list.d.

For some time now, if you follow these instructions, you get the following error message when sudo apt update afterwards: 

sudo apt update
(out)...
(out)W: https://wire-app.wire.com/linux/debian/dists/stable/InRelease: key is stored in the deprecated trusted.gpg keyring (/etc/apt/trusted.gpg), see the MISUSE section in apt-key(8) for details.

The messenger Signal has already changed its instructions for adding the repository:

wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
cat signal-desktop-keyring.gpg | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null

downloads the key and puts it in /usr/share/keyrings.

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt jammy main' | sudo tee -a /etc/apt/sources.list.d/signal-jammy.list

adds the correct line to the sources list.

This is the generally recommended procedure, for which there is no graphical implementation or script in Debian yet. In Ubuntu and TUXEDO OS, in addition to the method described here, Ubuntu Software or Plasma Discover can be used to insert third-party repositories. We have adapted our instructions for this accordingly.