Repository key handling changed

public inbox for [email protected]  
help / color / mirror / Atom feed

Repository key handling changed
3+ messages / 2 participants
[nested] [flat]

* Repository key handling changed
@ 2022-11-11 16:54 Christoph Berg <[email protected]>
  2022-11-14 20:06 ` Re: Repository key handling changed Aaron Pavely <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Christoph Berg @ 2022-11-11 16:54 UTC (permalink / raw)
  To: PostgreSQL in Debian <[email protected]>

Hi,

previously, when installing postgresql-common from apt.postgresql.org,
it would pull in the pgdg-keyring package that contains the key for
the repository:

/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
/etc/apt/trusted.gpg.d/apt.postgresql.org.gpg -> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg

In postgresql-common 246, this has been changed such that
postgresql-common itself contains the key files, and the trusted.gpg.d
symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.

On upgrade, pgdg-keyring will be removed, but since the same set of
files is provided, nothing should change.

One caveat is that pgdg-keyring has /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg
marked as conffile, so if the package is purged after the removal, the .gpg file
will be removed. (Workaround: reinstall postgresql-common, or don't
purge pgdg-keyring, or use an explicit key file (see below))

Additionally the apt.postgresql.org.sh installer script [1] has been
updated to write /etc/apt/sources.list.d/pgdg.sources in the modern
deb-822 style. By default it looks like this:

$ cat /etc/apt/sources.list.d/pgdg.sources
Types: deb
URIs: https://apt.postgresql.org/pub/repos/apt
Suites: bullseye-pgdg
Components: main
Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg

[1] https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh

The advantage is that the key for the repository is explicitly
specified, and the URI scheme has been upgraded to https://.
(Make sure systems have ca-certificates installed!)

I have not yet upgraded the installation instructions on
https://wiki.postgresql.org/wiki/Apt yet, since they are compatible
with either version of the key/scripts, but will do so over the next
days.

If you have questions, follow up here or ask on #postgresql-apt on
libera.

Christoph

^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: Repository key handling changed
  2022-11-11 16:54 Repository key handling changed Christoph Berg <[email protected]>
@ 2022-11-14 20:06 ` Aaron Pavely <[email protected]>
  2022-11-15 16:25   ` Re: Repository key handling changed Christoph Berg <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Aaron Pavely @ 2022-11-14 20:06 UTC (permalink / raw)
  To: Christoph Berg <[email protected]>; PostgreSQL in Debian <[email protected]>

On Fri, Nov 11, 2022 at 10:54 AM Christoph Berg <[email protected]> wrote:

> Hi,
>
> previously, when installing postgresql-common from apt.postgresql.org,
> it would pull in the pgdg-keyring package that contains the key for
> the repository:
>
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg ->
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> In postgresql-common 246, this has been changed such that
> postgresql-common itself contains the key files, and the trusted.gpg.d
> symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.
>
> On upgrade, pgdg-keyring will be removed, but since the same set of
> files is provided, nothing should change.
>
> One caveat is that pgdg-keyring has
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg
> marked as conffile, so if the package is purged after the removal, the
> .gpg file
> will be removed. (Workaround: reinstall postgresql-common, or don't
> purge pgdg-keyring, or use an explicit key file (see below))
>
>
> Additionally the apt.postgresql.org.sh installer script [1] has been
> updated to write /etc/apt/sources.list.d/pgdg.sources in the modern
> deb-822 style. By default it looks like this:
>
> $ cat /etc/apt/sources.list.d/pgdg.sources
> Types: deb
> URIs: https://apt.postgresql.org/pub/repos/apt
> Suites: bullseye-pgdg
> Components: main
> Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> [1]
> https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh
>
> The advantage is that the key for the repository is explicitly
> specified, and the URI scheme has been upgraded to https://.
> (Make sure systems have ca-certificates installed!)
>
>
> I have not yet upgraded the installation instructions on
> https://wiki.postgresql.org/wiki/Apt yet, since they are compatible
> with either version of the key/scripts, but will do so over the next
> days.
>
>
> If you have questions, follow up here or ask on #postgresql-apt on
> libera.
>
> Christoph
>

I am wondering if the repository keys should have gone into
postgresql-client-common, since there are cases where one will have
postgresql-client-common installed, but not postgresql-common (e.g., hosts
needing only the client libraries).

-- Aaron


^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: Repository key handling changed
  2022-11-11 16:54 Repository key handling changed Christoph Berg <[email protected]>
  2022-11-14 20:06 ` Re: Repository key handling changed Aaron Pavely <[email protected]>
@ 2022-11-15 16:25   ` Christoph Berg <[email protected]>
  0 siblings, 0 replies; 3+ messages in thread

From: Christoph Berg @ 2022-11-15 16:25 UTC (permalink / raw)
  To: Aaron Pavely <[email protected]>; +Cc: PostgreSQL in Debian <[email protected]>

Re: Aaron Pavely
> I am wondering if the repository keys should have gone into
> postgresql-client-common, since there are cases where one will have
> postgresql-client-common installed, but not postgresql-common (e.g., hosts
> needing only the client libraries).

Good point. I had the same idea, but then went with postgresql-common
because that already had the apt.postgresql.org.sh script, but maybe
we should revisit that and move the files over. (Moving in that
direction is easy since -common depends on -client-common.)

Christoph






^ permalink  raw  reply  [nested|flat] 3+ messages in thread

end of thread, other threads:[~2022-11-15 16:25 UTC | newest]

Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2022-11-11 16:54 Repository key handling changed Christoph Berg <[email protected]>
2022-11-14 20:06 ` Aaron Pavely <[email protected]>
2022-11-15 16:25   ` Christoph Berg <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox