Individual keyfiles for apt repositories
As we use salt stack to automatically provision software as part of a preseeded auto install, one of the things we need to be able to do, is to add an apt repository.
There is a way to natively add the keys for a repository, but if you do that, the keys all end up in /etc/apt/trusted.gpg
. We would much prefer that keys for third party repositories end up in a separate file in /etc/apt/trusted.gpg.d
, as we typically add third party repositories to their own files in /etc/apt/sources.list.d
This is following the preference for leaving package installed config files as stock as possible and making local configuration changes in a .d
directory.
Given a repositories gpg key, we cannot use the apt-key
tool to add the key, as this would add it to the default keyfile, /etc/apt/trusted.gpg
. So the answer is to use gpg
.
gpg --no-default-keyring --keyring ./somerepo.gpg --import somerepo.key
cp somerepo.gpg /etc/apt/trusted.gpg.d
chmod 644 /etc/apt/trusted.gpg.d/somerepo.gpg
EDIT: This hasn't always worked, but I've found a better way.
gpg --no-default-keyring --keyring gnupg-ring:./somerepo.gpg --keyserver hkp://somekey.server --recv-key A5BE2D9C67A18DE6
cp somerepo.gpg /etc/apt/trusted.gpg.d
chmod 644 /etc/apt/trusted.gpg.d/somerepo.gpg