Home / ubuntu / Questions / 1412905
Accepted
gavenkoa
Asked: 2022-06-09 02:17:06 +0800 CST

Is it possible to specify PGP key via HTTPS URL?

  • 772

For YUM (RHEL) I can specify repository with HTTPS link to key file, like /etc/yum.repo.d/elastic-7.x.repo:

[elastic-7.x]
baseurl = https://artifacts.elastic.co/packages/7.x/yum
gpgcheck = 1
gpgkey = https://artifacts.elastic.co/GPG-KEY-elasticsearch
name = Elasticsearch repository for 7.x packages

In case of Debian I have to download a key file first:

sudo curl -o /usr/share/keyrings/elastic.asc https://artifacts.elastic.co/GPG-KEY-elasticsearch

and than register that file by the attribute signed-by:

deb [signed-by=/usr/share/keyrings/elastic.asc arch=amd64] https://artifacts.elastic.co/packages/7.x/apt stable main

Can I specify the signing key by HTTPS URL?

This way I avoid updating keys when they rot.

apt

1 Answers

  1. Best Answer

    It's not possible. The keys must be located in the filesystem one way or the other. The server can only specify the fingerprints of the keys to be used, but cannot provide the keys themselves. See the documentation of the Signed-by option in man sources.list:

    Signed-By (signed-by) is an option to require a repository to pass apt-secure(8) verification with a certain set of keys rather than all trusted keys apt has configured. It is specified as a list of absolute paths to keyring files (have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file) and fingerprints of keys to select from these keyrings. [...] The option defaults to the value of the option with the same name if set in the previously acquired Release file of this repository (only fingerprints can be specified there through). Otherwise all keys in the trusted keyrings are considered valid signers for this repository. The option may also be set directly to an embedded GPG public key block.

    • 1