https://github.com/kstr0k/migrate-apt-keys

Migrates from "apt-key" managed keys to "[signed-by=.../keyrings/...]"
https://github.com/kstr0k/migrate-apt-keys

apt apt-key debian gpg security shell-script ubuntu

Last synced: 3 months ago
JSON representation

Migrates from "apt-key" managed keys to "[signed-by=.../keyrings/...]"

• Host: GitHub
• URL: https://github.com/kstr0k/migrate-apt-keys
• Owner: kstr0k
• License: mit
• Created: 2022-11-13T15:23:17.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2023-07-17T14:57:19.000Z (over 1 year ago)
• Last Synced: 2024-06-15T22:35:06.442Z (5 months ago)
• Topics: apt, apt-key, debian, gpg, security, shell-script, ubuntu
• Language: Shell
• Homepage:
• Size: 10.7 KB
• Stars: 25
• Watchers: 2
• Forks: 2
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

        
# `migrate-apt-keys`

## _Add signing info to `sources.list.d` Debian `apt` repos_

This script looks at each `deb[-src]` entry in the specified (or default) `SOURCE.list` files and

- adds `[signed-by]` qualifiers if missing

- downloads the corresponding `gpg` key into a designated folder

## Background

In recent (~2022) Ubuntu / Debian's, `/etc/apt/sources.list.d/` repos signed by system-wide keys from `/etc/apt/trusted.gpg` trigger an `apt update` warning. Meanwhile, repos signed by individual `/etc/apt/trusted.gpg.d/*` keys don't; yet this is mostly security theatre, because the `trusted.gpg.d/*` keys still apply to all "unsigned" repos.

This script adds a `[signed-by]` qualifier to each `deb[-src] ...` entry within each `SOURCE.list` repo, and downloads all relevant keys into `/usr/local/share/keyrings/SOURCE-apt-keyring.gpg` (or a specified folder).

## Usage

```sh

migrate-apt-keys --help

migrate-apt-keys [ KEYRING_FOLDER [SOURCE.list]... ]

```

## Copyright

[MIT license](LICENSE.txt): [`Jens Berthold `](https://github.com/maxhq), [`Alin Mr. `](https://github.com/mralusw)