On Fri, Nov 11, 2022 at 10:54 AM Christoph Berg <myon@debian.org> wrote:
Hi,
previously, when installing postgresql-common from apt.postgresql.org, it would pull in the pgdg-keyring package that contains the key for the repository:
In postgresql-common 246, this has been changed such that postgresql-common itself contains the key files, and the trusted.gpg.d symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.
On upgrade, pgdg-keyring will be removed, but since the same set of files is provided, nothing should change.
One caveat is that pgdg-keyring has /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg marked as conffile, so if the package is purged after the removal, the .gpg file will be removed. (Workaround: reinstall postgresql-common, or don't purge pgdg-keyring, or use an explicit key file (see below))
Additionally the apt.postgresql.org.sh installer script [1] has been updated to write /etc/apt/sources.list.d/pgdg.sources in the modern deb-822 style. By default it looks like this:
$ cat /etc/apt/sources.list.d/pgdg.sources Types: deb URIs: https://apt.postgresql.org/pub/repos/apt Suites: bullseye-pgdg Components: main Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
The advantage is that the key for the repository is explicitly specified, and the URI scheme has been upgraded to https://. (Make sure systems have ca-certificates installed!)
I have not yet upgraded the installation instructions on https://wiki.postgresql.org/wiki/Apt yet, since they are compatible with either version of the key/scripts, but will do so over the next days.
If you have questions, follow up here or ask on #postgresql-apt on libera.
Christoph
I am wondering if the repository keys should have gone into postgresql-client-common, since there are cases where one will have postgresql-client-common installed, but not postgresql-common (e.g., hosts needing only the client libraries).