{{Header}}
{{title|
title=APT Signing Key Folders and Other Development Notes
}}
{{#seo:
|description=/etc/apt/trusted.gpg, /etc/apt/trusted.gpg.d, /usr/share/keyrings
}}
{{intro|
/etc/apt/trusted.gpg, /etc/apt/trusted.gpg.d, /usr/share/keyrings
}}
= APT Keyring Folders =
APT by default considers only signing keys in:
* file /etc/apt/trusted.gpg
* folder /etc/apt/trusted.gpg.d
Signing keys in folder /usr/share/keyrings are ignored by default by APT, unless the signed-by keyword is used in APT sources files (i.e. in configuration file /etc/apt/sources.list or in configuration snippet drop-in folder /etc/apt/sources.list.d).
Example signed-by keyword use in one-line-style sources:
[signed-by=/usr/share/keyrings/derivative.asc]
Example Signed-By keyword use in deb822-style sources:
Signed-By: /usr/share/keyrings/derivative.asc
Example of a complete one-line-style deb sources line with the signed-by keyword.
deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free
Example of a complete deb822-style deb sources stanza with the signed-by keyword.
Types: deb
URIs: https://deb.kicksecure.com
Suites: trixie
Components: main contrib non-free
Enabled: yes
Signed-By: /usr/share/keyrings/derivative.asc
= Repository Migration =
== Which project and which version comes with which repositories enabled by default? ==
* Kicksecure builds earlier than version 16.0.5.0 come with: deb.whonix.org
* Kicksecure builds version 16.0.5.0 come with: deb.kicksecure.com
* Whonix builds earlier than version 16.0.5.0 come with: deb.whonix.org
* Whonix builds version 16.0.5.0 come with: deb.kicksecure.com + deb.whonix.org
== Which repositories contain what packages? ==
* Legacy:
** 16 and below: Mixing. Legacy. For migration purposes. Both deb.kicksecure.com and deb.whonix.org contain all packages, i.e. contain both all Kicksecure and all Whonix packages.
* Future:
** 17 and above: Clean separation. deb.kicksecure.com will contain only Kicksecure packages and no packages of other derivatives.
*** To accomplish that, in {{Github_link|repo=developer-meta-files|path=/blob/master/usr/bin/dm-reprepro-wrapper#L50}} the only thing to be removed is for derivative_name_item in $derivative_name_list ; do (and done).
== changed its 'Origin' value from 'whonix' to 'kicksecure' ==
{{Github_link|repo=derivative-maker|path=/blob/master/aptrepo_remote/kicksecure/conf/distributions}} is still using old Origin and Label values. This is to avoid the following error during sudo apt update.
E: Repository 'tor+https://deb.kicksecure.com bullseye InRelease' changed its 'Origin' value from 'whonix' to 'kicksecure'
E: Repository 'tor+https://deb.kicksecure.com bullseye InRelease' changed its 'Label' value from 'Whonix' to 'Kicksecure'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
* This avoids users' updates getting more complicated by seeing the above error message and needing to use sudo apt update --allow-releaseinfo-change to resolve it.
* Origin and Label need to be changed in {{project_name_long}} 17 (actually 18) in the above file once the Kicksecure repository for Debian bookworm becomes available. This will be done during [[Release Upgrade]].
== Why does Kicksecure use Origin whonix? ==
* version 16 and below: For legacy compatibility.
** Technical detail: For a long time, for most users deb.kicksecure.com was a mirror of deb.whonix.org. Hence Origin whonix was used. To keep the amount of user confusion as low as possible and minimize the number of affected users, it was decided to keep it that way until the release upgrade for version 16 (Debian bullseye based) became available. Unfortunately, those users who upgraded fastest saw the Origin/Label change.
* version 17 and above: No more legacy. Kicksecure will use Origin kicksecure.
== Background on Debian APT Origin and Label ==
When Debian's APT sees a repository for the first time, it notes its Origin and Label fields. Should these change, Debian will show a warning and not proceed using any repository with a changed Origin or Label until the user accepts the change using sudo apt update --allow-releaseinfo-change.
== deb822-style sources files ==
The older one-line-style sources format has been deprecated and may be removed in the future. [https://web.archive.org/web/20251029071653/https://manpages.debian.org/unstable/apt/sources.list.5.en.html states under the section "ONE-LINE-STYLE FORMAT": "This format is deprecated and may eventually be removed, but not before 2029."] Starting in Kicksecure 18, the deb822-style format is used.
Numerous upstream projects have not yet migrated to the new format, sometimes necessitating forking projects and attempting to contribute the feature upstream later. Some upstream PRs and issues related to this:
* https://github.com/grml/grml-debootstrap/issues/203
* https://github.com/grml/grml-debootstrap/pull/351
* https://salsa.debian.org/live-team/live-build/-/merge_requests/436
* https://lists.debian.org/debian-devel/2025/09/msg00037.html
** https://lists.debian.org/debian-devel/2025/09/msg00044.html Quote: "Please use a .pgp extension instead of .gpg (which is now just a backwards compatibility symlink that will eventually go away)."
* https://github.com/QubesOS/qubes-issues/issues/10494
== Forum Discussion ==
https://forums.whonix.org/t/e-repository-tor-https-deb-kicksecure-com-bullseye-inrelease-changed-its-origin-value-from-kicksecure-to-whonix/13810
= See Also =
* [[Dev/APT Pinning]]
* [[Dev/APT Repository]]
* [https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302 signed-by keyword forum discussion]
{{reflist|close=1}}
{{Footer}}
[[Category:Design]] [[Category:Development]]