Hello,
See here:
See here:
- https://bugs.debian.org/1041732:From: David Kalnischkies <david@kalnischkies.de>
To: 1041732-done@bugs.debian.org
Cc: Jörn Heissler <debbugs2023-07@wulf.eu.org>
Subject: Re: Bug#1041732: "N: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'"
Date: Sat, 22 Jul 2023 22:36:41 +0200
[Message part 1 (text/plain, inline)]
Hi,
On Sat, Jul 22, 2023 at 06:58:45PM +0200, Jörn Heissler wrote:
> N: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'
[…]
> I tried "Signed-By: /etc/apt/trusted.gpg.d/*" but that doesn't work.
> What is the correct value?
Have you looked at the manpage sources.list this notice points to?
| […] [Signed-By] is specified as a list of absolute paths to keyring
| files […]
That goes on to define it further with alternatives and such, but in
short, for any Debian entry the best choice might be:
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
There are a range of possible alternatives depending mainly on your
paranoia level, but that should be the most maintenance free one for now
accomplishing the main goal of the exercise: Ensuring that a Debian
entry can not be signed by a random key from a third-party repo you also
happen to trust (or did at some point, but forgot to remove the key
alongside the sources entry).
As that isn't really a bug but a support question, closing.
Best regards
David Kalnischkies
Statistics: Posted by Aki — 2024-08-25 18:19