Thread: Repository key handling changed
Hi, previously, when installing postgresql-common from apt.postgresql.org, it would pull in the pgdg-keyring package that contains the key for the repository: /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg -> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg In postgresql-common 246, this has been changed such that postgresql-common itself contains the key files, and the trusted.gpg.d symlink is created when a /etc/apt/sources.list.d/pgdg.list is found. On upgrade, pgdg-keyring will be removed, but since the same set of files is provided, nothing should change. One caveat is that pgdg-keyring has /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg marked as conffile, so if the package is purged after the removal, the .gpg file will be removed. (Workaround: reinstall postgresql-common, or don't purge pgdg-keyring, or use an explicit key file (see below)) Additionally the apt.postgresql.org.sh installer script [1] has been updated to write /etc/apt/sources.list.d/pgdg.sources in the modern deb-822 style. By default it looks like this: $ cat /etc/apt/sources.list.d/pgdg.sources Types: deb URIs: https://apt.postgresql.org/pub/repos/apt Suites: bullseye-pgdg Components: main Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg [1] https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh The advantage is that the key for the repository is explicitly specified, and the URI scheme has been upgraded to https://. (Make sure systems have ca-certificates installed!) I have not yet upgraded the installation instructions on https://wiki.postgresql.org/wiki/Apt yet, since they are compatible with either version of the key/scripts, but will do so over the next days. If you have questions, follow up here or ask on #postgresql-apt on libera. Christoph
On Fri, Nov 11, 2022 at 10:54 AM Christoph Berg <myon@debian.org> wrote:
Hi,
previously, when installing postgresql-common from apt.postgresql.org,
it would pull in the pgdg-keyring package that contains the key for
the repository:
/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
/etc/apt/trusted.gpg.d/apt.postgresql.org.gpg -> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
In postgresql-common 246, this has been changed such that
postgresql-common itself contains the key files, and the trusted.gpg.d
symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.
On upgrade, pgdg-keyring will be removed, but since the same set of
files is provided, nothing should change.
One caveat is that pgdg-keyring has /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg
marked as conffile, so if the package is purged after the removal, the .gpg file
will be removed. (Workaround: reinstall postgresql-common, or don't
purge pgdg-keyring, or use an explicit key file (see below))
Additionally the apt.postgresql.org.sh installer script [1] has been
updated to write /etc/apt/sources.list.d/pgdg.sources in the modern
deb-822 style. By default it looks like this:
$ cat /etc/apt/sources.list.d/pgdg.sources
Types: deb
URIs: https://apt.postgresql.org/pub/repos/apt
Suites: bullseye-pgdg
Components: main
Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
[1] https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh
The advantage is that the key for the repository is explicitly
specified, and the URI scheme has been upgraded to https://.
(Make sure systems have ca-certificates installed!)
I have not yet upgraded the installation instructions on
https://wiki.postgresql.org/wiki/Apt yet, since they are compatible
with either version of the key/scripts, but will do so over the next
days.
If you have questions, follow up here or ask on #postgresql-apt on
libera.
Christoph
I am wondering if the repository keys should have gone into postgresql-client-common, since there are cases where one will have postgresql-client-common installed, but not postgresql-common (e.g., hosts needing only the client libraries).
-- Aaron
Re: Aaron Pavely > I am wondering if the repository keys should have gone into > postgresql-client-common, since there are cases where one will have > postgresql-client-common installed, but not postgresql-common (e.g., hosts > needing only the client libraries). Good point. I had the same idea, but then went with postgresql-common because that already had the apt.postgresql.org.sh script, but maybe we should revisit that and move the files over. (Moving in that direction is easy since -common depends on -client-common.) Christoph