Debian repository: always use deb.torproject.org-keyring.gpg (!220) · Merge requests · The Tor Project / Web / support

Silvio Rhatto requested to merge rhatto/support:fix/tor-deb-repo into main Jul 17, 2024

Changes the Tor Debian package repository instructions to always use /usr/share/keyrings/deb.torproject.org-keyring.gpg.

This avoids the issue where a system has both old and new repository keys, like a manually installed key at /usr/share/keyrings/tor-archive-keyring.gpg and package-managed key at /usr/share/keyrings/deb.torproject.org-keyring.gpg:

$ dpkg -L deb.torproject.org-keyring
[...]
/usr/share/keyrings/deb.torproject.org-keyring.gpg

Using the same file path ensures that:

The manual procedure of getting the repository keys is used just once, for bootstrapping the deb.torproject.org-keyring package.
Further system upgrades takes care of updating Tor's keyring whenever a new version is available.

Example issue: https://lists.torproject.org/pipermail/tor-relays/2024-July/021739.html

Debian repository: always use deb.torproject.org-keyring.gpg

Merge request reports