遵循这些步骤,你就可以运行apt更新,而不会出现与废弃的密钥配置有关的警告或错误。
今天早上,从一个小假期回到家后,我决定从命令行中运行apt update 和apt upgrade ,只是为了看看在我离线时是否有任何更新。在发出更新命令后,有些事情似乎不太对劲;我看到的信息大致是:"你是谁?
W: https://updates.example.com/desktop/apt/dists/xenial/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
的确,这只是一个警告,但仍有一个可怕的词,deprecation,这通常意味着它将很快消失。所以我想我应该看一看。根据我发现的情况,我认为我的经验值得分享。
事实证明,我有一些储存库的旧配置,是 "过去 "的安装过程的遗物,需要调整。根据警告信息的提示,我在命令行中运行了man apt-key ,它提供了几个有趣的信息。在手册页的开头。
apt-key is used to manage the list of keys used by apt to authenticate packages. Packages which have been authenticated using these keys are considered trusted.
Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring. If such usage of apt-key is desired, the additional installation of the GNU Privacy Guard suite (packaged in gnupg) is required.
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
在 "Debian 11和Ubuntu 22.04 "中的最后一次可用,对我来说几乎就是现在。是时候解决这个问题了!
在man page的后面,有apt update的警告中提到的deprecation部分。
DEPRECATION
Except for using apt-key del in maintainer scripts, the use of apt-key is deprecated. This section shows how to replace the existing use of apt-key.
If your existing use of apt-key add looks like this:
wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -
Then you can directly replace this with (though note the recommendation below):
wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc
Make sure to use the "asc" extension for ASCII armored keys and the "gpg" extension for the binary OpenPGP format (also known as "GPG key public ring"). The binary OpenPGP format works for all apt versions, while the ASCII armored format works for apt version >= 1.4.
Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages. When using a deb822-style sources.list, and with apt version >= 2.4, the Signed-By option can also be used to include the full ASCII armored keyring directly in the sources.list without an additional file.
如果你像我一样,用apt-key 添加了来自非存储库的钥匙,那么以下是过渡的步骤。
- 确定哪些键是在
apt-key keyring /etc/apt/trusted.gpg - 删除它们
- 在
/etc/apt/trusted.gpg.d/或其他网站上找到并安装替代的密钥。/etc/apt/keyrings/
1.寻找旧的钥匙
命令apt-key list 显示了/etc/apt/trusted.gpg 中的钥匙。
$ sudo apt-key list
[sudo] password:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2017-04-05 [SC]
DBE4 6B52 81D0 C816 F630 E889 D980 A174 57F6 FB86
uid [ unknown] Example <support@example.com>
sub rsa4096 2017-04-05 [E]
pub rsa4096 2016-04-12 [SC]
EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid [ unknown] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096 2021-10-26 [S] [expires: 2024-10-25]
[...]
之后还显示了在/etc/apt/trusted.gpg.d 文件夹中保存的钥匙。
2.删除旧钥匙
一组四位数的十六进制数字,例如DBEA 6B52...FB86 ,是删除不需要的钥匙所需的标识符。
$ sudo apt-key del "DBEA 6B52 81D0 C816 F630 E889 D980 A174 57F6 FB86"
这样就可以删除Example钥匙了。这实际上只是一个例子,在现实中,你会去掉那些实际存在的键。例如,我对我系统上的每一个真正的键都执行了同样的命令,包括谷歌、信号和阿森西奥的键。你系统上的密钥会有所不同,这取决于你所安装的东西。
3.添加钥匙
获得替换的钥匙取决于应用程序。例如,Open Whisper提供了它的密钥,并解释了如何安装它,我决定不遵循,因为它把密钥放在/usr/share/keyrings 。相反,我这样做了。
$ wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
$ sudo mv signal-desktop-keyring.gpg /etc/apt/trusted.gpg.d/
$ sudo chown root:root /etc/apt/trusted.gpg.d/signal-desktop-keyring.gpg
$ sudo chmod ugo+r /etc/apt/trusted.gpg.d/signal-desktop-keyring.gpg
$ sudo chmod go-w /etc/apt/trusted.gpg.d/signal-desktop-keyring.gpg
Ascencio也提供了安装OnlyOffice的说明,包括处理GPG密钥。我再次修改了他们的说明以适应我的需要。
$ gpg --no-default-keyring --keyring gnupg-ring:~/onlyoffice.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
$ sudo mv onlyoffice.gpg /etc/apt/trusted.gpg.d/
$ sudo chown root:root /etc/apt/trusted.gpg.d/onlyoffice.gpg
$ sudo chmod ugo+r /etc/apt/trusted.gpg.d/onlyoffice.gpg
$ sudo chmod go-w /etc/apt/trusted.gpg.d/onlyoffice.gpg
至于谷歌的密钥,它是通过.deb 包来管理的(看来是正确的),所以用dpkg -i 简单的重新安装就可以了。最后,我得到了这个结果。
$ ls -l /etc/apt/trusted.gpg.d
total 24
-rw-r--r-- 1 root root 7821 Sep 2 10:55 google-chrome.gpg
-rw-r--r-- 1 root root 2279 Sep 2 08:27 onlyoffice.gpg
-rw-r--r-- 1 root root 2223 Sep 2 08:02 signal-desktop-keyring.gpg
-rw-r--r-- 1 root root 2794 Mar 26 2021 ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 26 2021 ubuntu-keyring-2018-archive.gpg
过期的钥匙
我遇到的最后一个问题是来自一个过时的QGIS安装。这把钥匙已经过期了,我把它设置为由apt-key 来管理。最后我完全按照他们的指示,既在/etc/apt/keryings 中安装了新的密钥,又按照他们建议的格式进行了/etc/apt/sources.list.d/qgis.sources 安装配置。
Linux系统维护
现在你可以运行apt update ,而不会出现与废弃的钥匙配置有关的警告或错误。我们apt 用户只需要记得调整任何依赖apt-key 的旧的安装说明。而不是使用apt-key ,你必须改为安装一个密钥到/etc/apt/trusted.gpg.d/ 或/etc/apt/keyrings/ ,根据需要使用gpg 。
