public inbox for [email protected]help / color / mirror / Atom feed
Repository key handling changed 3+ messages / 2 participants [nested] [flat]
* Repository key handling changed @ 2022-11-11 16:54 Christoph Berg <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Christoph Berg @ 2022-11-11 16:54 UTC (permalink / raw) To: PostgreSQL in Debian <[email protected]> Hi, previously, when installing postgresql-common from apt.postgresql.org, it would pull in the pgdg-keyring package that contains the key for the repository: /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg -> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg In postgresql-common 246, this has been changed such that postgresql-common itself contains the key files, and the trusted.gpg.d symlink is created when a /etc/apt/sources.list.d/pgdg.list is found. On upgrade, pgdg-keyring will be removed, but since the same set of files is provided, nothing should change. One caveat is that pgdg-keyring has /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg marked as conffile, so if the package is purged after the removal, the .gpg file will be removed. (Workaround: reinstall postgresql-common, or don't purge pgdg-keyring, or use an explicit key file (see below)) Additionally the apt.postgresql.org.sh installer script [1] has been updated to write /etc/apt/sources.list.d/pgdg.sources in the modern deb-822 style. By default it looks like this: $ cat /etc/apt/sources.list.d/pgdg.sources Types: deb URIs: https://apt.postgresql.org/pub/repos/apt Suites: bullseye-pgdg Components: main Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg [1] https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh The advantage is that the key for the repository is explicitly specified, and the URI scheme has been upgraded to https://. (Make sure systems have ca-certificates installed!) I have not yet upgraded the installation instructions on https://wiki.postgresql.org/wiki/Apt yet, since they are compatible with either version of the key/scripts, but will do so over the next days. If you have questions, follow up here or ask on #postgresql-apt on libera. Christoph ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Repository key handling changed @ 2022-11-14 20:06 Aaron Pavely <[email protected]> parent: Christoph Berg <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Aaron Pavely @ 2022-11-14 20:06 UTC (permalink / raw) To: Christoph Berg <[email protected]>; PostgreSQL in Debian <[email protected]> On Fri, Nov 11, 2022 at 10:54 AM Christoph Berg <[email protected]> wrote: > Hi, > > previously, when installing postgresql-common from apt.postgresql.org, > it would pull in the pgdg-keyring package that contains the key for > the repository: > > /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc > /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg > /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg -> > /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg > > In postgresql-common 246, this has been changed such that > postgresql-common itself contains the key files, and the trusted.gpg.d > symlink is created when a /etc/apt/sources.list.d/pgdg.list is found. > > On upgrade, pgdg-keyring will be removed, but since the same set of > files is provided, nothing should change. > > One caveat is that pgdg-keyring has > /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg > marked as conffile, so if the package is purged after the removal, the > .gpg file > will be removed. (Workaround: reinstall postgresql-common, or don't > purge pgdg-keyring, or use an explicit key file (see below)) > > > Additionally the apt.postgresql.org.sh installer script [1] has been > updated to write /etc/apt/sources.list.d/pgdg.sources in the modern > deb-822 style. By default it looks like this: > > $ cat /etc/apt/sources.list.d/pgdg.sources > Types: deb > URIs: https://apt.postgresql.org/pub/repos/apt > Suites: bullseye-pgdg > Components: main > Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg > > [1] > https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh > > The advantage is that the key for the repository is explicitly > specified, and the URI scheme has been upgraded to https://. > (Make sure systems have ca-certificates installed!) > > > I have not yet upgraded the installation instructions on > https://wiki.postgresql.org/wiki/Apt yet, since they are compatible > with either version of the key/scripts, but will do so over the next > days. > > > If you have questions, follow up here or ask on #postgresql-apt on > libera. > > Christoph > I am wondering if the repository keys should have gone into postgresql-client-common, since there are cases where one will have postgresql-client-common installed, but not postgresql-common (e.g., hosts needing only the client libraries). -- Aaron ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: Repository key handling changed @ 2022-11-15 16:25 Christoph Berg <[email protected]> parent: Aaron Pavely <[email protected]> 0 siblings, 0 replies; 3+ messages in thread From: Christoph Berg @ 2022-11-15 16:25 UTC (permalink / raw) To: Aaron Pavely <[email protected]>; +Cc: PostgreSQL in Debian <[email protected]> Re: Aaron Pavely > I am wondering if the repository keys should have gone into > postgresql-client-common, since there are cases where one will have > postgresql-client-common installed, but not postgresql-common (e.g., hosts > needing only the client libraries). Good point. I had the same idea, but then went with postgresql-common because that already had the apt.postgresql.org.sh script, but maybe we should revisit that and move the files over. (Moving in that direction is easy since -common depends on -client-common.) Christoph ^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2022-11-15 16:25 UTC | newest] Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2022-11-11 16:54 Repository key handling changed Christoph Berg <[email protected]> 2022-11-14 20:06 ` Aaron Pavely <[email protected]> 2022-11-15 16:25 ` Christoph Berg <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox