apt_repository should not use deprecated apt-key anymore
stissot opened this issue · 2 comments
Describe the Enhancement:
The apt_repository ressource (as of Chef 18 as well as on master) leverages apt-key add to import the repository signing key.
This way of importing the key has been deprecated for security reason (it trusts all packages from the repository instead of only the installed package) and will be last available in Debian 11 and Ubuntu 22.04.
Sources:
- https://itsfoss.com/apt-key-deprecated/
- https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
Describe the Need:
We need to refactor the apt_repository to use this more complex method instead:
wget -O- <https://example.com/key/repo-key.gpg> | gpg --dearmor | sudo tee /usr/share/keyrings/<myrepository>-archive-keyring.gpg
Current Alternative
As a workaround, one can use the execute resource to import the key before apt_repository
Can We Help You Implement This?:
I'm willing to prepare a pull request. Let me know you opinion and if you think it's needed to keep apt-key add as a fallback method for older Ubuntu/Debian releases (I'm testing on Ubuntu 22.04)
Duplicate of #13168?