添加第三方Debian仓库的建议程序
1.将仓库的OpenPGP密钥放入/usr/share/keyrings。
注意:密钥不得放入/etc/apt/trusted.gpg.d,也不能通过apt-key add添加。从apt-key(8):
Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring. If such usage of apt-key is desired the additional installation of the GNU Privacy Guard suite (packaged in gnupg) is required.
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
2.仓库的source.list条目应当设置signed-by选项,该选项应指向仓库的OpenPGP密钥。条目必须以缩短的仓库名称添加到/etc/apt/sources.list.d目录下。例如,名为deriv的仓库对应的文件为/etc/apt/sources.list.d/deriv.list,其内容为:
deb [signed-by=/usr/share/keyrings/deriv-archive-keyring.gpg] https://deriv.example.net/debian/ stable main
也可以建立使用Deb822文件格式的文件/etc/apt/sources.list.d/deriv.sources:
Types: deb
URIs: https://deriv.example.net/debian/
Suites: stable
Components: main
Signed-By: /usr/share/keyrings/deriv-archive-keyring.gpg
3.为仓库建立对应的Apt pinning条目,添加到/etc/apt/preferences.d目录下。例如,对于上面假想的deriv仓库,将建立文件/etc/apt/preferences.d/deriv.pref:
Package: *
Pin: origin deriv.example.net
Pin-Priority: 100
这将禁止从deriv仓库升级已经从正式仓库安装的包,同时允许为从deriv仓库安装的包进行升级。
这一方面更多的技术信息,参见Debian Wiki的AptConfiguration页面、Debian参考手册。
4.仓库密钥的更新应当通过包管理器分发。例如,deriv仓库通过包deriv-archive-keyring在路径/usr/share/keyrings/deriv-archive-keyring.gpg分发密钥,它也可能包括文件/etc/apt/sources.list.d/deriv.sources或/etc/apt/sources.list.d/deriv.list和/etc/apt/preferences.d/deriv.pref。如果采用这种机制来分发密钥更新,相关的包必须在仓库的Apt pinning条目中特殊处理。
常见问题
W: GPG error: http://deriv.example.net stable InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 744ACF4DF3319FFA
这种错误常见于您配置的仓库密钥属于"ascii-armored"形式而非二进制形式。您可以考虑执行命令
gpg --dearmor < input.gpg > output.gpg
以修复问题。