Merge 72ba556f26 into 83be5fb151

Fix Debian-derivatives installation instructions
The way to handle the trust for a PGP key has changed in recent versions of `apt-secure` and now requires the use of PGP keys in something different than the internal GPG keybox database. When updating the CI checks, I found that there were a difference between them and the instructions that were provided in the INSTALL.md file, which was using the armored version. The instructions now require the unarmored keys, stored in a `.gpg` file, and installation of these keys differ depending on the system, using `sq` on newer distributions.
2025-05-02 19:51:49 +02:00 · 2025-04-16 10:46:22 +00:00 · 2025-04-16 12:46:15 +02:00
3 changed files with 16 additions and 37 deletions
--- a/.github/workflows/check_repos.yml
+++ b/.github/workflows/check_repos.yml
@ -48,7 +48,7 @@ jobs:
          mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.

      - name: Add packages.freedom.press PGP key (sq)
-        if: matrix.version == 'trixie'
+        if: matrix.version == 'trixie' || matrix.version == '25.04'
        run: |
          apt-get update && apt-get install -y ca-certificates sq
          mkdir -p /etc/apt/keyrings/
@ -57,20 +57,9 @@ jobs:
          sq network keyserver \
             --server hkps://keys.openpgp.org \
             search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-             --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
-      - name: Add packages.freedom.press PGP key (gpg --export)
-        if: matrix.version == '25.04'
-        run: |
-          apt-get update && apt-get install -y gnupg2 ca-certificates
-          dirmngr
-          # Newer versions of apt-secure need an unarmored PGP key as mentionned by
-          # https://manpages.ubuntu.com/manpages/plucky/man8/apt-secure.8.html
-          gpg --keyserver hkps://keys.openpgp.org \
-              --no-default-keyring
-              --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
-          mkdir -p /etc/apt/keyrings/
-          gpg --export-options export-minimal --export \
-              > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+             --output - \
+          | sq packet dearmor \
+          > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg

      - name: Add packages.freedom.press to our APT sources
        run: |
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or

 ## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...HEAD)

+## Changed
+
+- Update installation instructions (and CI checks) for Debian derivatives ([#1141](https://github.com/freedomofpress/dangerzone/pull/1141))
+
 ## [0.9.0](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...0.8.1)

 ### Added
--- a/INSTALL.md
+++ b/INSTALL.md
@ -113,7 +113,8 @@ Dangerzone is available for:
 First, retrieve the PGP keys. The instructions differ depending on the specific
 distribution you are using:

-For Debian Trixie, follow these instructions to download the PGP keys:
+For Debian Trixie and Ubuntu Plucky (25.04), follow these instructions to
+download the PGP keys:

 ```bash
 sudo apt-get update && sudo apt-get install sq -y
@ -121,34 +122,19 @@ mkdir -p /etc/apt/keyrings/
 sq network keyserver \
   --server hkps://keys.openpgp.org \
   search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-   --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
-```
-
-For Ubuntu Plucky (25.04), follow these instructions:
-
-```bash
-apt-get update && apt-get install -y gnupg2 ca-certificates
-mkdir -p /etc/apt/keyrings/
-dirmngr
-gpg --keyserver hkps://keys.openpgp.org \
-    --no-default-keyring
-    --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
-gpg --export-options export-minimal --export \
-    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
-  
+   --output - \
+| sq packet dearmor \
+> /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```

 On other Debian-derivatives:

 ```sh
 sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
-gpg --keyserver hkps://keys.openpgp.org \
-    --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
+mkdir -p /etc/apt/keyrings/
+sudo gpg --keyserver hkps://keys.openpgp.org \
+    --no-default-keyring --keyring /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \
    --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
-sudo mkdir -p /etc/apt/keyrings/
-sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
-    --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```

 Then, on all distributions, add the URL of the repo in your APT sources: