Ubuntu
software-properties package

add-apt-repository should store PGP keys in /usr/share/keyrings because /etc/apt/trusted.gpg.d is deprecated for third party repos

Bug #1933537 reported by m.eik michalke on 2021-06-24

This bug report is a duplicate of: Bug #1862764: add-apt-repository should use signed-by. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	software-properties (Ubuntu)	New	Undecided	Unassigned

Bug Description

PPAs are third party repositories. for security reasons, PGP keys for these must not be placed in /etc/apt/trusted.gpg.d, according to this document:

https://wiki.debian.org/DebianRepository/UseThirdParty

they should instead be saved to /usr/share/keyrings and the generated .list file for the repo added should refer to its particular key by using a [signed-by=/usr/share/keyrings/...] argument. this ensures that the downloaded PGP key will only be used to verify a particular repository and is not globally available to verify package lists of all configured repositories (as are all keys found in /etc/apt/trusted.gpg.d).

please fix add-apt-repository accordingly.

Ubuntu 20.04.2 LTS
software-properties-common 0.98.9.5

Revision history for this message

Brett Holman (holmanb) wrote on 2021-10-26:

This is a duplicate of LP#1862764

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1862764 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntusoftware-properties package

add-apt-repository should store PGP keys in /usr/share/keyrings because /etc/apt/trusted.gpg.d is deprecated for third party repos

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
software-properties package