Avoid using apt-key command for Debian

pganalyze · Jul 16, 2024 · 6c59e3d · 6c59e3d
1 parent d753642
commit 6c59e3d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 21 deletions.
diff --git a/contrib/install.sh b/contrib/install.sh
@@ -162,26 +162,14 @@ metadata_expire=300" | $maybe_sudo tee -a /etc/yum.repos.d/pganalyze_collector.r
   $maybe_sudo yum $yum_opts install pganalyze-collector <$user_input
 elif [ "$pkg" = deb ];
 then
-  # on Debian, gnupg, required for apt-key add, is not installed by default, so install
-  # it before trying to invoke it if necessary
-  if ! dpkg --verify gnupg 2>/dev/null && ! dpkg --verify gnupg1 2>/dev/null && ! dpkg --verify gnupg2 2>/dev/null;
-  then
-    if confirm "The gnupg package is required to verify the collector package signature; install it now?";
-    then
-      $maybe_sudo apt-get $apt_opts update <$user_input
-      $maybe_sudo apt-get $apt_opts install gnupg <$user_input
-    else
-      fail "cannot install without gnupg"
-    fi
-  fi
   if [ "$arch" = 'x86_64' ];
   then
-    apt_source="deb [arch=amd64] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
+    apt_source="deb [arch=amd64 signed-by=/etc/apt/keyrings/pganalyze_signing_key.asc] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
   elif [ "$arch" = 'arm64' ] || [ "$arch" = 'aarch64' ];
   then
-    apt_source="deb [arch=arm64] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
+    apt_source="deb [arch=arm64 signed-by=/etc/apt/keyrings/pganalyze_signing_key.asc] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
   fi
-  curl -s -L https://packages.pganalyze.com/pganalyze_signing_key.asc | $maybe_sudo apt-key add -
+  $maybe_sudo curl -L https://packages.pganalyze.com/pganalyze_signing_key.asc -o /etc/apt/keyrings/pganalyze_signing_key.asc
   echo "$apt_source" | $maybe_sudo tee /etc/apt/sources.list.d/pganalyze_collector.list
   $maybe_sudo apt-get $apt_opts update <$user_input
   $maybe_sudo apt-get $apt_opts install pganalyze-collector <$user_input

diff --git a/packages/repo/sync_deb.sh b/packages/repo/sync_deb.sh
@@ -31,9 +31,9 @@ reprepro --basedir /repo/debian/bookworm includedeb stable /deb/systemd/$DEB_PAC
 reprepro --basedir /repo/debian/bookworm includedeb stable /deb/systemd/$DEB_PACKAGE_ARM64
 
 # Verify signatures
-apt-key add /repo/pganalyze_signing_key.asc
-gpgv --keyring /etc/apt/trusted.gpg /repo/ubuntu/focal/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/ubuntu/jammy/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/ubuntu/noble/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/debian/bullseye/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/debian/bookworm/dists/stable/InRelease
+gpg --dearmor -o /repo/pganalyze_signing_key.gpg /repo/pganalyze_signing_key.asc
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/ubuntu/focal/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/ubuntu/jammy/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/ubuntu/noble/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/debian/bullseye/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/debian/bookworm/dists/stable/InRelease