almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

doc: update Debian Trixie installation instructions
Some checks are pending
Build dev environments / Build dev-env (debian-bookworm) (push) Waiting to run
Details
Build dev environments / Build dev-env (debian-bullseye) (push) Waiting to run
Details
Build dev environments / Build dev-env (debian-trixie) (push) Waiting to run
Details
Build dev environments / Build dev-env (fedora-40) (push) Waiting to run
Details
Build dev environments / Build dev-env (fedora-41) (push) Waiting to run
Details
Build dev environments / Build dev-env (ubuntu-20.04) (push) Waiting to run
Details
Build dev environments / Build dev-env (ubuntu-22.04) (push) Waiting to run
Details
Build dev environments / Build dev-env (ubuntu-24.04) (push) Waiting to run
Details
Build dev environments / Build dev-env (ubuntu-24.10) (push) Waiting to run
Details
Build dev environments / build-container-image (push) Waiting to run
Details
Tests / run-lint (push) Waiting to run
Details
Tests / build-container-image (push) Waiting to run
Details
Tests / Download and cache Tesseract data (push) Waiting to run
Details
Tests / windows (push) Blocked by required conditions
Details
Tests / macOS (arch64) (push) Blocked by required conditions
Details
Tests / macOS (x86_64) (push) Blocked by required conditions
Details
Tests / build-deb (debian bookworm) (push) Blocked by required conditions
Details
Tests / build-deb (debian bullseye) (push) Blocked by required conditions
Details
Tests / build-deb (debian trixie) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions
Details
Tests / install-deb (debian bookworm) (push) Blocked by required conditions
Details
Tests / install-deb (debian bullseye) (push) Blocked by required conditions
Details
Tests / install-deb (debian trixie) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions
Details
Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions
Details
Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions
Details
Tests / run tests (debian bookworm) (push) Blocked by required conditions
Details
Tests / run tests (debian bullseye) (push) Blocked by required conditions
Details
Tests / run tests (debian trixie) (push) Blocked by required conditions
Details
Tests / run tests (fedora 40) (push) Blocked by required conditions
Details
Tests / run tests (fedora 41) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions
Details
Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions
Details
Scan latest app and container / security-scan-container (push) Waiting to run
Details
Scan latest app and container / security-scan-app (push) Waiting to run
Details

Browse source 
Starting with Debian Trixie, `apt secure` relies on `sqv` to do its verification, which doesn't support the GPG keybox database format.

At the same time, using the standard PGP base64 format makes the verification fail for versions of `apt secure` which relies on `gpg`, as the subkey isn't detected there.

Fixes #1055
This commit is contained in:
Alexis Métaireau 2025-01-20 11:58:50 +01:00
parent 7f418118e6
commit c407e2ff84
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
2 changed files with 30 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
.github/workflows/check_repos.yml vendored
View file

@ -46,21 +46,30 @@ jobs:
apt update apt update
apt-get install python-all -y apt-get install python-all -y
- name: Add GPG key for the packages.freedom.press - name: Add packages.freedom.press PGP key (gpg)
if: matrix.version != 'trixie'
run: | run: |
apt-get update && apt-get install -y gnupg2 ca-certificates apt-get update && apt-get install -y gnupg2 ca-certificates
dirmngr # NOTE: This is a command that's necessary only in containers dirmngr # NOTE: This is a command that's necessary only in containers
# The key needs to be in the GPG keybox database format so the
# signing subkey is detected by apt-secure.
gpg --keyserver hkps://keys.openpgp.org \ gpg --keyserver hkps://keys.openpgp.org \
--no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \ --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
--recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
# Export the GPG key in armor mode because sequoia needs it this way
# (sqv is used on debian trixie by default to check the keys)
mkdir -p /etc/apt/keyrings/ mkdir -p /etc/apt/keyrings/
gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \ mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.
--armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
- name: Add packages.freedom.press PGP key (sq)
if: matrix.version == 'trixie'
run: |
apt-get update && apt-get install -y ca-certificates sq
mkdir -p /etc/apt/keyrings/
# On debian trixie, apt-secure uses `sqv` to verify the signatures
# so we need to retrieve PGP keys and store them using the base64 format.
sq network keyserver \
--server hkps://keys.openpgp.org \
search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
--output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
- name: Add packages.freedom.press to our APT sources - name: Add packages.freedom.press to our APT sources
run: | run: |
. /etc/os-release . /etc/os-release

17
INSTALL.md
View file

@ -84,9 +84,20 @@ Dangerzone is available for:
</tr> </tr>
</table> </table>
Add our repository following these instructions: First, retrieve the PGP keys.
Download the GPG key for the repo: Starting with Trixie, follow these instructions to download the PGP keys:
```bash
sudo apt-get update && sudo apt-get install sq -y
mkdir -p /etc/apt/keyrings/
sq network keyserver \
--server hkps://keys.openpgp.org \
search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
--output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
```
On other Debian-derivatives:
```sh ```sh
sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
@ -99,7 +110,7 @@ sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
``` ```
Add the URL of the repo in your APT sources: Then, on all distributions, add the URL of the repo in your APT sources:
```sh ```sh
. /etc/os-release . /etc/os-release