From 72ba556f260bb4ec6aac82b788ae2e4c7b6b4472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Tue, 15 Apr 2025 15:57:13 +0200 Subject: [PATCH 1/4] Fix Debian-derivatives installation instructions The way to handle the trust for a PGP key has changed in recent versions of `apt-secure` and now requires the use of PGP keys in something different than the internal GPG keybox database. When updating the CI checks, I found that there were a difference between them and the instructions that were provided in the INSTALL.md file, which was using the armored version. The instructions now require the unarmored keys, stored in a `.gpg` file, and installation of these keys differ depending on the system, using `sq` on newer distributions. --- .github/workflows/check_repos.yml | 11 +++++++---- CHANGELOG.md | 4 ++++ INSTALL.md | 19 ++++++++++--------- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/.github/workflows/check_repos.yml b/.github/workflows/check_repos.yml index c686f9b..4200ba5 100644 --- a/.github/workflows/check_repos.yml +++ b/.github/workflows/check_repos.yml @@ -34,8 +34,8 @@ jobs: - distro: debian version: "11" # bullseye steps: - - name: Add packages.freedom.press PGP key (gpg) - if: matrix.version != 'trixie' + - name: Add packages.freedom.press PGP key (gpg --keyring) + if: matrix.version != 'trixie' && matrix.version != "25.04" run: | apt-get update && apt-get install -y gnupg2 ca-certificates dirmngr # NOTE: This is a command that's necessary only in containers @@ -48,7 +48,7 @@ jobs: mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/. - name: Add packages.freedom.press PGP key (sq) - if: matrix.version == 'trixie' + if: matrix.version == 'trixie' || matrix.version == '25.04' run: | apt-get update && apt-get install -y ca-certificates sq mkdir -p /etc/apt/keyrings/ @@ -57,7 +57,10 @@ jobs: sq network keyserver \ --server hkps://keys.openpgp.org \ search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \ - --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg + --output - \ + | sq packet dearmor \ + > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg + - name: Add packages.freedom.press to our APT sources run: | . /etc/os-release diff --git a/CHANGELOG.md b/CHANGELOG.md index b49ed70..6b5c028 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or ## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...HEAD) +## Changed + +- Update installation instructions (and CI checks) for Debian derivatives ([#1141](https://github.com/freedomofpress/dangerzone/pull/1141)) + ## [0.9.0](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...0.8.1) ### Added diff --git a/INSTALL.md b/INSTALL.md index 5212d5d..84fb1ca 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -110,9 +110,11 @@ Dangerzone is available for: -First, retrieve the PGP keys. +First, retrieve the PGP keys. The instructions differ depending on the specific +distribution you are using: -Starting with Trixie, follow these instructions to download the PGP keys: +For Debian Trixie and Ubuntu Plucky (25.04), follow these instructions to +download the PGP keys: ```bash sudo apt-get update && sudo apt-get install sq -y @@ -120,20 +122,19 @@ mkdir -p /etc/apt/keyrings/ sq network keyserver \ --server hkps://keys.openpgp.org \ search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \ - --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg + --output - \ +| sq packet dearmor \ +> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg ``` On other Debian-derivatives: ```sh sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y -gpg --keyserver hkps://keys.openpgp.org \ - --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \ +mkdir -p /etc/apt/keyrings/ +sudo gpg --keyserver hkps://keys.openpgp.org \ + --no-default-keyring --keyring /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \ --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" -sudo mkdir -p /etc/apt/keyrings/ -sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \ - --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \ - > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg ``` Then, on all distributions, add the URL of the repo in your APT sources: From 724f4d3598a4e5fc6412806046f4e3971720e707 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Wed, 23 Apr 2025 14:50:16 +0200 Subject: [PATCH 2/4] FIXUP: store the gpg file locally before moving it with sudo --- INSTALL.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 84fb1ca..e4f74dd 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -122,9 +122,8 @@ mkdir -p /etc/apt/keyrings/ sq network keyserver \ --server hkps://keys.openpgp.org \ search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \ - --output - \ -| sq packet dearmor \ -> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg + --output - | sq packet dearmor fpfdz.gpg +sudo mv fpfdz.gpg /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg ``` On other Debian-derivatives: From 15dce9b621dcbdb02e2cd4fd75664fc30975586c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Thu, 24 Apr 2025 17:11:21 +0200 Subject: [PATCH 3/4] FIXUP: Add sudo where needed --- INSTALL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index e4f74dd..5e7797b 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -118,11 +118,11 @@ download the PGP keys: ```bash sudo apt-get update && sudo apt-get install sq -y -mkdir -p /etc/apt/keyrings/ sq network keyserver \ --server hkps://keys.openpgp.org \ search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \ --output - | sq packet dearmor fpfdz.gpg +sudo mkdir -p /etc/apt/keyrings/ sudo mv fpfdz.gpg /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg ``` @@ -130,7 +130,7 @@ On other Debian-derivatives: ```sh sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y -mkdir -p /etc/apt/keyrings/ +sudo mkdir -p /etc/apt/keyrings/ sudo gpg --keyserver hkps://keys.openpgp.org \ --no-default-keyring --keyring /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \ --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" From b1fd9547e73ee9e1b00abfa4e370b6587f46aa91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Thu, 24 Apr 2025 17:21:33 +0200 Subject: [PATCH 4/4] FIXUP: Add ca-certificates dependency for trixie/plucky --- INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index 5e7797b..1a9dc22 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -117,7 +117,7 @@ For Debian Trixie and Ubuntu Plucky (25.04), follow these instructions to download the PGP keys: ```bash -sudo apt-get update && sudo apt-get install sq -y +sudo apt-get update && sudo apt-get install sq ca-certificates -y sq network keyserver \ --server hkps://keys.openpgp.org \ search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \