Score:5

Ubuntu

What is the right place to put keyrings for repositories

Alex

10/25/23, 7:36 AM

If i google how to install some software for example wine, i see the instructions to save the public key under /usr/share/keyrings/ and then to add a repository. But if i open a repository source file there is a reference to another location of the public key Signed-By: /etc/apt/keyrings.

For example here https://www.tecmint.com/install-wine-in-ubuntu/ first you need to download a public key and put it in /usr/share/keyrings

sudo wget -nc -O /usr/share/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key

And then public key is references in another location /etc/apt/keyrings

sudo wget -nc -P /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources

In the winehq-jammy.sources

Signed-By: /etc/apt/keyrings/winehq-archive.key

Why is that, and how is it working?

And why public key is not dearmored?

  gpg --dearmor

1965

1 + 1

apt

keyrings

repository

DJCrashdummy

5/25/24, 3:17 PM

[this answer](https://stackoverflow.com/a/71384057/2351568) explains it kind of well.

Score:3

Ubuntu

Artur Meinild

10/26/23, 7:10 AM

Different guides point to different locations. This is because both locations will work, and actually it's up to you to decide where you put them.

But it seems that particular guide is wrong, since it says you should put the keyring in /usr/share/keyrings/, but then points to /etc/apt/keyrings/ in the sources file. You should choose one or the other - mixing the two is definitely wrong. (You could probably write to TecMint and point out the error in their article.)

The manpage for sources.list (invoked by man sources.list) actually mention these locations in the following section:

THE DEB AND DEB-SRC TYPES: OPTIONS

Signed-By (signed-by) is an option to require a repository to pass apt-secure(8) verification with a certain set of keys rather than all trusted keys apt has configured. It is specified as a list of absolute paths to keyring files (have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file) and fingerprints of keys to select from these keyrings. The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator. If no keyring files are specified the default is the trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory (...)

However, there is no clear definition of what exactly is meant by "managed by packages" and "managed by system operator". To me, this indicates there is no definite right or wrong here (since it's only a recommendation), except it should be consistent between where you put the keys, and where you refer them in the sources file.

However, I think it's logical to put apt keyrings under the /etc/apt/ folder, whereas keyrings for other purposes of an application could be put under /usr/share/keyrings. In addition, apt has another folder called /etc/apt/trusted.gpg.d/, where the trusted keyrings for Ubuntu are stored (which is also mentioned in the manpage).

Also, read here about why GPG keys are Ascii armored - this is also a choice completely left to the issuer (I've seen both armored and binary public keys).

+ 3

user68186

10/31/23, 6:27 PM

When you install Google Chrome, you download a deb file and double click it. The "package" sets up the PPA, the key etc. It is up to Google (the package maintainer) to see to it that the gpg key goes to `/usr/share/keyrings`.

DJCrashdummy

5/25/24, 2:43 PM

there **is** a right and wrong for where you place the keys (although it SHOULD not break things if you do it the other way): at the end of [this section](https://wiki.debian.org/DebianRepository/UseThirdParty#OpenPGP_certificate_distribution) it is stated *"If future updates to the certificate will be managed by an apt/dpkg package [...], then it SHOULD be downloaded into `/usr/share/keyrings` using the same filename that will be provided by the package. If it will be managed locally [lets say manually], it SHOULD be downloaded into `/etc/apt/keyrings` instead."*

DJCrashdummy

5/25/24, 2:44 PM

to make it even more clear, in [this section](https://wiki.debian.org/DebianRepository/UseThirdParty#Certificate_rollover_and_updates) it is even further explained how the package should be called and what it must and may contain. - **so long story short:** if it is a key from a maintainer and it should be eventually updated by him (at the latest if you install a package called `REPONAME-archive-keyring`) then it must be placed at `/usr/share/keyrings`, if no mater what, only you as the "local admin" should be able touch the key, you must place it at `/etc/apt/keyrings`.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the right place to put keyrings for repositories

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.