Merge 8061fd4597 into 83be5fb151

Specifically, the way to handle the trust for a PGP key has changed in
recent versions of `apt-secure`. It now requires the use of PGP keys in
something different than the internal GPG keybox database.

.github/workflows/check_repos.yml

@@ -48,7 +48,7 @@ jobs:
           mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.
 
       - name: Add packages.freedom.press PGP key (sq)
-        if: matrix.version == 'trixie' || matrix.version == '25.04'
+        if: matrix.version == 'trixie'
         run: |
           apt-get update && apt-get install -y ca-certificates sq
           mkdir -p /etc/apt/keyrings/
@@ -57,9 +57,20 @@ jobs:
           sq network keyserver \
              --server hkps://keys.openpgp.org \
              search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-             --output - \
-          | sq packet dearmor \
-          > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+             --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+      - name: Add packages.freedom.press PGP key (gpg --export)
+        if: matrix.version == '25.04'
+        run: |
+          apt-get update && apt-get install -y gnupg2 ca-certificates
+          dirmngr
+          # Newer versions of apt-secure need an unarmored PGP key as mentionned by
+          # https://manpages.ubuntu.com/manpages/plucky/man8/apt-secure.8.html
+          gpg --keyserver hkps://keys.openpgp.org \
+              --no-default-keyring
+              --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
+          mkdir -p /etc/apt/keyrings/
+          gpg --export-options export-minimal --export \
+              > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 
       - name: Add packages.freedom.press to our APT sources
         run: |

CHANGELOG.md

@@ -7,10 +7,6 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 ## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...HEAD)
 
-## Changed
-
-- Update installation instructions (and CI checks) for Debian derivatives ([#1141](https://github.com/freedomofpress/dangerzone/pull/1141))
-
 ## [0.9.0](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...0.8.1)
 
 ### Added

INSTALL.md

@@ -113,8 +113,7 @@ Dangerzone is available for:
 First, retrieve the PGP keys. The instructions differ depending on the specific
 distribution you are using:
 
-For Debian Trixie and Ubuntu Plucky (25.04), follow these instructions to
-download the PGP keys:
+For Debian Trixie, follow these instructions to download the PGP keys:
 
 ```bash
 sudo apt-get update && sudo apt-get install sq -y
@@ -122,19 +121,34 @@ mkdir -p /etc/apt/keyrings/
 sq network keyserver \
    --server hkps://keys.openpgp.org \
    search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-   --output - \
-| sq packet dearmor \
-> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+   --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+```
+
+For Ubuntu Plucky (25.04), follow these instructions:
+
+```bash
+apt-get update && apt-get install -y gnupg2 ca-certificates
+mkdir -p /etc/apt/keyrings/
+dirmngr
+gpg --keyserver hkps://keys.openpgp.org \
+    --no-default-keyring
+    --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
+gpg --export-options export-minimal --export \
+    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+  
 ```
 
 On other Debian-derivatives:
 
 ```sh
 sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
-mkdir -p /etc/apt/keyrings/
-sudo gpg --keyserver hkps://keys.openpgp.org \
-    --no-default-keyring --keyring /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \
+gpg --keyserver hkps://keys.openpgp.org \
+    --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
     --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
+sudo mkdir -p /etc/apt/keyrings/
+sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
+    --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
+    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```
 
 Then, on all distributions, add the URL of the repo in your APT sources: