-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dev%2FAPT.mw
79 lines (59 loc) · 4.72 KB
/
Dev%2FAPT.mw
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
{{Header}}
{{title|
title=APT Signing Key Folders and Other Development Notes
}}
{{#seo:
|description=/etc/apt/trusted.gpg, /etc/apt/trusted.gpg.d, /usr/share/keyrings
}}
{{intro|
/etc/apt/trusted.gpg, /etc/apt/trusted.gpg.d, /usr/share/keyrings
}}
= APT Keyring Folders =
APT by default considers only signing keys in:
* file <code>/etc/apt/trusted.gpg</code>
* folder <code>/etc/apt/trusted.gpg.d</code>
Signing keys in folder <code>/usr/share/keyrings</code> are ignored by default by APT, unless the <code>signed-by</code> keyword is used in APT sources files (i.e. in configuration file <code>/etc/apt/sources.list</code> or in configuration snippet drop-in folder <code>/etc/apt/sources.list.d</code>).
Example <code>signed-by</code> keyword use:
<pre>
[signed-by=/usr/share/keyrings/derivative.asc]
</pre>
Example of complete deb line with <code>signed-by</code> keyword.
<pre>
deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free
</pre>
= Repository Migration =
== Which project and which version comes with which repositories enabled by default? ==
* Kicksecure builds earlier than version 16.0.5.0 come with: <code>deb.whonix.org</code>
* Kicksecure builds version 16.0.5.0 come with: <code>deb.kicksecure.com</code>
* Whonix builds earlier than version 16.0.5.0 come with: <code>deb.whonix.org</code>
* Whonix builds version 16.0.5.0 come with: <code>deb.kicksecure.com</code> + <code>deb.whonix.org</code>
== Which repositories contain what packages? ==
* <u>Legacy</u>:
** 16 and below: Mixing. Legacy. For migration purposes. Both, <code>deb.kicksecure.com</code> and <code>deb.whonix.org</code> contain all packages, i.e. contain both, all Kicksecure and all Whonix packages.
* <u>Future</u>:
** 17 and above: Clean separation. <code>deb.kicksecure.com</code> will contain only all Kicksecure packages and no packages of other derivatives.
*** To accomplish that, in https://github.com/{{project_name_short}}/developer-meta-files/blob/master/usr/bin/dm-reprepro-wrapper#L50 the only thing to be removed is <code>for derivative_name_item in $derivative_name_list ; do</code> (and <code>done</code>).
== changed its 'Origin' value from 'whonix' to 'kicksecure' ==
https://github.com/{{project_name_short}}/derivative-maker/blob/master/aptrepo_remote/kicksecure/conf/distributions is still using old <code>Origin</code> and <code>Label</code> values. This is to avoid the following error during "sudo apt update".
<pre>
E: Repository 'tor+https://deb.kicksecure.com bullseye InRelease' changed its 'Origin' value from 'whonix' to 'kicksecure'
E: Repository 'tor+https://deb.kicksecure.com bullseye InRelease' changed its 'Label' value from 'Whonix' to 'Kicksecure'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
</pre>
* This is avoid users updates getting more complicated by seeing above error message and needing to use <code>sudo apt update --allow-releaseinfo-change</code> to resolve it.
* Origin and Label needs to be to be changed in {{project_name_long}} 17 (actually 18) in above file once the Kicksecure repository for Debian <code>bookworm</code> based becomes available. This will be done during [[Release Upgrade]].
== Why does Kicksecure use Origin whonix? ==
* version 16 and below: For legacy compatibility.
** Technical detail: For the longest time, for most users <code>deb.kicksecure.com</code> was a mirror of <code>deb.whonix.org</code>. Hence used <code>Origin</code> <code>whonix</code>. To keep the amount of user confusion lowest, fewest users being affected it was decided to keep it that way until the release upgrade for version 16 (Debian <code>Origin</code> based) becomes available. Unfortunately those users who upgraded fastest saw the `Origin`/`Label` change.
* version 17 above: No more legacy. Kicksecure will use <code>Origin</code> <code>kicksecure</code>.
== Background on Debian APT Origin and Label ==
When Debian's APT sees for the first time a repository, it notes its <code>Origin</code> and <code>Label</code> fields. Should these change, Debian will show a warning/question and not proceed using any repository with a changed <code>Origin</code> or <code>Label</code> until the user accepts the change using <code>sudo apt update --allow-releaseinfo-change</code>.
== Forum Discussion ==
https://forums.whonix.org/t/e-repository-tor-https-deb-kicksecure-com-bullseye-inrelease-changed-its-origin-value-from-kicksecure-to-whonix/13810
= See Also =
* [[Dev/APT Pinning]]
* [[Dev/APT Repository]]
* [https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302 <code>signed-by</code> keyword forum discussion]
{{reflist|close=1}}
{{Footer}}
[[Category:Design]] [[Category:Development]]