add-apt-repository should use signed-by

Status changed to 'Confirmed' because the bug affects multiple users.

According to https://wiki.debian.org/DebianRepository/UseThirdParty I have to put third-party keys in /usr/share/keyrings, but a command like

add-apt-repository -y "deb [signed-by=/usr/share/keyrings/mykey.gpg] https://my.repo/ impish main"

fails. If I understand correctly, this means that add-apt-repository cannot be used for third-party repos (at least not according to Debian’s security standards).

add-apt-repository also silently deletes the [trusted=yes] option, which is appropriate but undocumented. There needs to be clearer documentation on what options work and what doesn't. Hopefully all options are supported.

The 'signed-by' field is not supported in the python-apt classes that are used by add-apt-repository and the gui software-properties.

- When adding a new source there's no argument to provide 'signed-by' or 'trusted' options, so those cannot be added via add-apt-repository or the gui software-properties until that is corrected, and this omission appears to exist upstream:
https://git.launchpad.net/python-apt/tree/aptsources/sourceslist.py#n309

- Adding 'signed-by' to the output of the sources so it gets written to the sources list would be needed:
https://git.launchpad.net/python-apt/tree/aptsources/sourceslist.py#n232

- And then it'll get ignored when subsequently reading the sources list, as any option fields present other than 'arch' and 'trusted' result in the line being flagged as invalid, this results in the source not being listed in the software-properties sources list - and that's actually how I ended up here trying to work out if that failure to display had been reported as a bug yet.
So that too needs to be updated:
https://git.launchpad.net/python-apt/tree/aptsources/sourceslist.py#n196

These three changes all appear to be upstream, and navigating the debian site was not as straight forward as here, so I'm not really clear on where to submit a patch to make it happen, nor how easy it would be to pull back here, so I figured I could throw the details here for someone that's more familiar with that!

Can confirm all of the above.

https://fostips.com/apt-key-deprecated-right-way-add-repository
https://www.north-47.com/knowledge-base/how-to-securely-install-apps-on-debian-based-linux-distros/

With apt-key being deprecated and a transition to more secure (better) restriction of repository trust via "signed-by", we definitely need add-apt-repository to support this ASAP.

After Ubuntu 20.04 apt-key will no longer be present and well before the next LTS we need tooling/documentation to leverage the new recommended approach.

I'm on Ubuntu 22.04 and I'm getting the warning of deprecated location for keys multiple times.

I know that for now I can ignore it, but I'm pretty sure that a lot of people is using PPAS/External Repos and will be scared of the warnings.

Status changed to 'Confirmed' because the bug affects multiple users.

I started using Ubuntu 22.04 and this issue started to occour.

The 'add-apt-repository' command adds the gpg key of the PPA repository in the trusted.gpg file (/etc/apt/trusted.gpg)

As commented above, the PPA repositories are not being included in the sources.list file (/etc/apt/sources.list) or in the directory /etc/apt/sources.list.d/<repo-name> with the parameter [signed-by=]

Workaround:
While the fix doesn't come, the way is to adapt the repository in this way:
1- $ sudo add-apt-repository ppa:author/project
2- $ apt-key list
3- $ gpg --export <repository-fingerprint> | sudo tee /usr/share/keyrings/<repo-name>.gpg
4- $ sudo nano /etc/apt/sources.list.d/repository-name.list
5- Find & Replace:
deb http://ppa.launchpad.net/author/project/ubuntu jammy main
by
deb [signed-by=/usr/share/keyrings/<repo-name>.gpg] http://ppa.launchpad.net/author/project/ubuntu jammy main

6- Save the changes and run 'sudo apt update' again

My goal would be to switch to deb822 sources for this with the key embedded in the .sources file.

We're still missing the ability to edit those files graphically however, that needs to be implemented first.

Related (but not the same)": https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1986513

We encountered this with an ubuntu system using salt, which uses the python-apt package. We have sent a report and patch to python-apt upstream. The package is maintained by debian, and we are uncertain whether debian will consider it a bug, if these options are only used by ubuntu. There wasn't any better place we could find to send a patch, though.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051852

This has been fixed a couple of months ago for PPAs and I think other shortcuts; they now use deb822 .sources files with Signed-By parameter.

Note that as we move towards deb822 everywhere there will be less issues of that sort, as the deb822 backend recognizes every option (even unknown ones) and software-properties allows you to edit all of them.

Thank you for the additional context! That seems like it will solve the problem on newer releases of ubuntu; am I right in thinking that older releases would still suffer from the gap between python-apt and sources.list? We encountered the issue on focal (20.04).