Merge 72ba556f26 into 83be5fb151

The way to handle the trust for a PGP key has changed in recent versions
of `apt-secure` and now requires the use of PGP keys in something
different than the internal GPG keybox database.

When updating the CI checks, I found that there were a difference between
them and the instructions that were provided in the INSTALL.md file, which
was using the armored version.

The instructions now require the unarmored keys, stored in a `.gpg`
file, and installation of these keys differ depending on the system,
using `sq` on newer distributions.

.github/workflows/check_repos.yml

@@ -34,8 +34,8 @@ jobs:
           - distro: debian
             version: "11"  # bullseye
     steps:
-      - name: Add packages.freedom.press PGP key (gpg)
-        if: matrix.version != 'trixie'
+      - name: Add packages.freedom.press PGP key (gpg --keyring)
+        if: matrix.version != 'trixie' && matrix.version != "25.04"
         run: |
           apt-get update && apt-get install -y gnupg2 ca-certificates
           dirmngr  # NOTE: This is a command that's necessary only in containers
@@ -48,7 +48,7 @@ jobs:
           mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.
 
       - name: Add packages.freedom.press PGP key (sq)
-        if: matrix.version == 'trixie'
+        if: matrix.version == 'trixie' || matrix.version == '25.04'
         run: |
           apt-get update && apt-get install -y ca-certificates sq
           mkdir -p /etc/apt/keyrings/
@@ -57,7 +57,10 @@ jobs:
           sq network keyserver \
              --server hkps://keys.openpgp.org \
              search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-             --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+             --output - \
+          | sq packet dearmor \
+          > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+
       - name: Add packages.freedom.press to our APT sources
         run: |
           . /etc/os-release

CHANGELOG.md

@@ -7,6 +7,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 ## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...HEAD)
 
+## Changed
+
+- Update installation instructions (and CI checks) for Debian derivatives ([#1141](https://github.com/freedomofpress/dangerzone/pull/1141))
+
 ## [0.9.0](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...0.8.1)
 
 ### Added

INSTALL.md

@@ -110,9 +110,11 @@ Dangerzone is available for:
   </tr>
 </table>
 
-First, retrieve the PGP keys.
+First, retrieve the PGP keys. The instructions differ depending on the specific
+distribution you are using:
 
-Starting with Trixie, follow these instructions to download the PGP keys:
+For Debian Trixie and Ubuntu Plucky (25.04), follow these instructions to
+download the PGP keys:
 
 ```bash
 sudo apt-get update && sudo apt-get install sq -y
@@ -120,20 +122,19 @@ mkdir -p /etc/apt/keyrings/
 sq network keyserver \
    --server hkps://keys.openpgp.org \
    search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-   --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+   --output - \
+| sq packet dearmor \
+> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```
 
 On other Debian-derivatives:
 
 ```sh
 sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
-gpg --keyserver hkps://keys.openpgp.org \
-    --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
+mkdir -p /etc/apt/keyrings/
+sudo gpg --keyserver hkps://keys.openpgp.org \
+    --no-default-keyring --keyring /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \
     --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
-sudo mkdir -p /etc/apt/keyrings/
-sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
-    --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```
 
 Then, on all distributions, add the URL of the repo in your APT sources: