-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

diff -Nru ubuntu-keyring-2016.09.01/debian/changelog ubuntu-keyring-2016.09.16/debian/changelog
- --- ubuntu-keyring-2016.09.01/debian/changelog	2016-09-01 18:45:52.000000000 +0100
+++ ubuntu-keyring-2016.09.16/debian/changelog	2016-09-16 15:08:31.000000000 +0100
@@ -1,3 +1,14 @@
+ubuntu-keyring (2016.09.16) yakkety; urgency=medium
+
+  * Ship each active key in a separate keyring in /etc/apt/trusted.gpg.d/
+    as conffiles for simpler usage of apt-secure(8).
+  * Remove all active keys from /etc/apt/trusted.gpg as they are shipped
+    now as fragment files.
+  * Depend on gpgv and only recommend gnupg.
+  * Stop calling apt-key update LP: #1619444
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 16 Sep 2016 14:36:10 +0100
+
 ubuntu-keyring (2016.09.01) yakkety; urgency=medium
 
   * Depend on "gnupg | gnupg1". LP: #1615039
diff -Nru ubuntu-keyring-2016.09.01/debian/control ubuntu-keyring-2016.09.16/debian/control
- --- ubuntu-keyring-2016.09.01/debian/control	2016-09-01 18:44:00.000000000 +0100
+++ ubuntu-keyring-2016.09.16/debian/control	2016-09-16 14:47:00.000000000 +0100
@@ -3,13 +3,14 @@
 Priority: optional
 Maintainer: Michael Vogt <michael.vogt@canonical.com>
 Standards-Version: 3.8.3
+Build-Depends: gnupg
 
 Package: ubuntu-keyring
 Priority: important
 Architecture: all
 Multi-Arch: foreign
- -Depends: gnupg | gnupg1
- -Recommends: gpgv
+Depends: gpgv
+Recommends: gnupg | gnupg1
 Description: GnuPG keys of the Ubuntu archive
  The Ubuntu project digitally signs its Release files. This package
  contains the archive keys used for that.
diff -Nru ubuntu-keyring-2016.09.01/debian/postinst ubuntu-keyring-2016.09.16/debian/postinst
- --- ubuntu-keyring-2016.09.01/debian/postinst	2010-09-30 14:41:21.000000000 +0100
+++ ubuntu-keyring-2016.09.16/debian/postinst	2016-09-16 14:47:00.000000000 +0100
@@ -1,36 +1,18 @@
 #!/bin/sh
 
- -# the keyring in /var that gets fetched by apt-key net-update
- -# if it does not yet exist, copy it to avoid uneeded net copy
- -KEYRINGDIR="/var/lib/apt/keyrings"
- -KEYRING="${KEYRINGDIR}/ubuntu-archive-keyring.gpg"
+set -e
 
- -if ! test -d $KEYRINGDIR; then
- -     mkdir -m 755 -p $KEYRINGDIR
- -fi
- -
- -if ! test -f $KEYRING; then
- -     cp /usr/share/keyrings/ubuntu-archive-keyring.gpg $KEYRING
- -     touch $KEYRING
- -fi
- -
- -# sensible default permissions if there is no keyring yet
- -# (gpg will use 0600 otherwise and that will break release-upgrades later)
- -ETC_KEYRING="/etc/apt/trusted.gpg"
- -if [ ! -f $ETC_KEYRING ]; then
- -    touch $ETC_KEYRING
- -    chmod 0644 $ETC_KEYRING
- -fi
- -
- -# during maverick we had keyrings created with mode 0600
- -# but this will break tools like update-managers release-downloader
- -# because it uses the trusted.gpg keyring to verify the signature (as user)
- -if dpkg --compare-versions "$2" lt-nl "2010.+09.30"; then
- -    chmod 0644 $ETC_KEYRING
- -fi
- -
- -# make sure apt knows about the new keys
- -if [ -x /usr/bin/apt-key ]; then
- -    /usr/bin/apt-key update
+if [ "$1" = 'configure' -a -n "$2" ]; then
+	# remove keys from the trusted.gpg file as they are now shipped in fragment files in trusted.gpg.d
+	if dpkg --compare-versions "$2" 'lt' "2016.09.16" && which gpg > /dev/null && which apt-key > /dev/null; then
+		TRUSTEDFILE='/etc/apt/trusted.gpg'
+		eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
+		eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
+		if [ -e "$TRUSTEDFILE" ]; then
+			for KEY in 40976EAF437D05B5 46181433FBB75451 3B4FE6ACC0B21F32 D94AA3F0EFE21092; do
+				apt-key --keyring "$TRUSTEDFILE" del $KEY > /dev/null 2>&1 || :
+			done
+		fi
+	fi
 fi
 
diff -Nru ubuntu-keyring-2016.09.01/debian/rules ubuntu-keyring-2016.09.16/debian/rules
- --- ubuntu-keyring-2016.09.01/debian/rules	2010-05-27 17:53:12.000000000 +0100
+++ ubuntu-keyring-2016.09.16/debian/rules	2016-09-16 14:47:00.000000000 +0100
@@ -34,6 +34,12 @@
 	$(install_file) keyrings/ubuntu-archive-removed-keys.gpg debian/tmp/usr/share/keyrings/
 	$(install_file) keyrings/ubuntu-master-keyring.gpg debian/tmp/usr/share/keyrings/
 
+	$(install_dir) debian/tmp/etc/apt/trusted.gpg.d/
+	gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output debian/tmp/etc/apt/trusted.gpg.d/ubuntu-keyring-2004-archive.gpg --export 40976EAF437D05B5
+	gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output debian/tmp/etc/apt/trusted.gpg.d/ubuntu-keyring-2004-cdimage.gpg --export 46181433FBB75451
+	gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output debian/tmp/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg --export 3B4FE6ACC0B21F32
+	gpg --no-default-keyring --keyring ./keyrings/ubuntu-archive-keyring.gpg --output debian/tmp/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg --export D94AA3F0EFE21092
+
 	$(install_dir) debian/tmp/usr/share/doc/ubuntu-keyring/
 	$(install_file) README debian/tmp/usr/share/doc/ubuntu-keyring/
 	$(install_file) debian/changelog debian/tmp/usr/share/doc/ubuntu-keyring/changelog
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX2/0gAAoJEMrC2LnNLKX59HAIAIzOhboKZL60ckCVZKyDx5ny
mPnj5ezAtZGGvOrxnEXM2vsUapE6FcQtp2/ddz5eIcQICygrY/sqjgjKGS7d/3uM
dz2nmHKb5k2XU0gbY78b52Fy+ph5NfyDR8cALQuuGwSe/7o5MnqsmG+0PFlpGaqa
a1Xb8WsgZH4h9kcGybNKQPQkruTeAGef6D1ova4zk96Blr9152r5y/H2xNgjJRzI
44zw8SjJQaeYy6N3kPyL5PyysnUsjuOkAN/B3IxT/M8KUH3LAWw6hYZtGOs67eZ8
mZ27hjAZmUu9O5aExS4PCKoyD0WuMBrgXQBIP3ltRrQuFOFF5a1y9u3CRd3ZdsI=
=5WDX
-----END PGP SIGNATURE-----