Uninstalling deb.torproject.org-keyring doesn't remove the key
I found this bug in the process of forking Tor's repository keyring package for a similar use case by one of the other projects I contribute to.
The prerm hooks in the source for the package don't actually remove the key, so if you uninstall deb.torproject.org-keyring, the signing key will still be trusted by the system, and not removed from /etc/apt/trusted.gpg.
The problem is in debian/prerm, line 8: the 'apt-key del' command does not work with a full fingerprint. It only work using an 8-character key ID (this behavior is totally wack, and I will be reporting it to the maintainers of apt and Debian).
'apt-key del', when provided with a full key fingerprint, still even outputs 'OK', which is also crazy. But if you run 'apt-key list' afterward you'll find that the key is indeed still there.
Until this issue is addressed upstream, you might want the prerm hook for this package to reference the short key ID instead.
https://gitweb.torproject.org/debian/torproject-keyring.git/tree/debian/prerm
Trac:
Username: ageisp0lis