Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG public key already ASCII - Change documentation to use /etc/apt/trusted.gpg.d/packetfence.asc #8388

Open
E-ThanG opened this issue Nov 14, 2024 · 0 comments
Open

GPG public key already ASCII - Change documentation to use /etc/apt/trusted.gpg.d/packetfence.asc #8388

E-ThanG opened this issue Nov 14, 2024 · 0 comments
Assignees
@fdurand @JeGoi
Labels
Type: Bug
Milestone
PacketFence-14.2

Comments

@E-ThanG
Copy link
Contributor

E-ThanG commented Nov 14, 2024
edited
Loading

Describe the bug

  1. The documentation includes unnecessary steps to download the GPG public key into /etc/apt/keyrings/ as a binary file. The current best practice is to use and ASCII public key in /etc/apt/trusted.gpg.d/ See the deprecation warning below. The public key is already stored as ASCII in https://inverse.ca/downloads/GPG_PUBLIC_KEY There is no reason to convert it to binary.
W: http://inverse.ca/downloads/PacketFence/debian/14.1/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
  1. The current documentation says to use the command below. However, the upgrade script removes the [signed-by stanza]. So there's the potential to create an issue where the update can't be downloaded. If the public key is in /etc/apt/trusted.gpg.d/ it's already trusted and doesn't need to be in the packetfence.list file.
echo "deb [signed-by=/etc/apt/keyrings/packetfence.gpg] http://inverse.ca/downloads/PacketFence/debian/14.0 bookworm bookworm" > /etc/apt/sources.list.d/packetfence.list

Expected behavior
One of either options below:
A.

  1. The command in the documentation under 4.3.3. Software Installation->Debian-based systems should be
    curl -fsSL https://inverse.ca/downloads/GPG_PUBLIC_KEY > /etc/apt/trusted.gpg.d/packetfence.asc
  2. [signed-by=/etc/apt/keyrings/packetfence.gpg] should be removed from /etc/apt/sources.list.d/packetfence.list
  3. The PacketFence upgrade script should delete any packetfence*.gpg files in /etc/apt/keyrings/ and the default key ring (apt-key list).
  4. The installation and upgrade scripts should automatically download that file to /etc/apt/trusted.gpg.d/ if it doesn't already exist.

B.

  1. Documentation command is left as is
  2. Upgrade and install scripts modified to insert [signed-by=/etc/apt/keyrings/packetfence.gpg] into /etc/apt/sources.list.d/packetfence.list.
  3. If /etc/apt/keyrings/packetfence.gpg doesn't exist it should be automatically downloaded.

The commands used for Security Onion and the PF Connector probably also need to be updated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fdurand fdurand

@JeGoi JeGoi

Labels
Type: Bug
Projects
None yet
Milestone
PacketFence-14.2
Development

No branches or pull requests
4 participants
@fdurand @satkunas @JeGoi @E-ThanG