Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1otXIZ-0003qO-Ee for pgsql-pkg-debian@arkaria.postgresql.org; Fri, 11 Nov 2022 16:54:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1otXIY-0002as-3E for pgsql-pkg-debian@arkaria.postgresql.org; Fri, 11 Nov 2022 16:54:34 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1otXIX-0002aj-T3 for pgsql-pkg-debian@lists.postgresql.org; Fri, 11 Nov 2022 16:54:33 +0000 Received: from feynman.df7cb.de ([195.49.152.168]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1otXIV-0002Qe-0c for pgsql-pkg-debian@lists.postgresql.org; Fri, 11 Nov 2022 16:54:33 +0000 Received: from msg.df7cb.de (unknown [IPv6:2003:5b:203b:100:7627:eaff:fe52:8e03]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by feynman.df7cb.de (Postfix) with ESMTPSA id 4N84Yf3XRzz3F20 for ; Fri, 11 Nov 2022 17:54:30 +0100 (CET) Date: Fri, 11 Nov 2022 17:54:30 +0100 From: Christoph Berg To: PostgreSQL in Debian Subject: Repository key handling changed Message-ID: Mail-Followup-To: Christoph Berg , PostgreSQL in Debian MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, previously, when installing postgresql-common from apt.postgresql.org, it would pull in the pgdg-keyring package that contains the key for the repository: /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg -> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg In postgresql-common 246, this has been changed such that postgresql-common itself contains the key files, and the trusted.gpg.d symlink is created when a /etc/apt/sources.list.d/pgdg.list is found. On upgrade, pgdg-keyring will be removed, but since the same set of files is provided, nothing should change. One caveat is that pgdg-keyring has /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg marked as conffile, so if the package is purged after the removal, the .gpg file will be removed. (Workaround: reinstall postgresql-common, or don't purge pgdg-keyring, or use an explicit key file (see below)) Additionally the apt.postgresql.org.sh installer script [1] has been updated to write /etc/apt/sources.list.d/pgdg.sources in the modern deb-822 style. By default it looks like this: $ cat /etc/apt/sources.list.d/pgdg.sources Types: deb URIs: https://apt.postgresql.org/pub/repos/apt Suites: bullseye-pgdg Components: main Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg [1] https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh The advantage is that the key for the repository is explicitly specified, and the URI scheme has been upgraded to https://. (Make sure systems have ca-certificates installed!) I have not yet upgraded the installation instructions on https://wiki.postgresql.org/wiki/Apt yet, since they are compatible with either version of the key/scripts, but will do so over the next days. If you have questions, follow up here or ask on #postgresql-apt on libera. Christoph