[linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.

Dimitri John Ledkov xnox at ubuntu.com
Thu Aug 1 03:01:22 UTC 2019

As per apt-key manpage one can ship armored keys with .asc extension
since apt 1.4 (bionic and up). For prior releases, gpg1 exported
binary .gpg keys are supported. No need to install gnupg, run
gnupg-agent, or execute apt-key.

Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
 Sample build with this change in place is shown at:

 Makefile | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index b2c5ea5..00d3b25 100644
--- a/Makefile
+++ b/Makefile
@@ -93,14 +93,7 @@ all:
 	# Enable ppa:snappy-dev/image inside of the chroot and add the PPA's
 	# public signing key to apt:
-	# - gnugpg is required by apt-key
-	# - gnugpg 2.x requires gpg-agent to be running
-	# - procfs must be bind-mounted for gpg-agent
-	# - running apt-key as a child process of gpg-agent --daemon stops the
-	#   agent shortly after apt-key executes
-	$(ENV) chroot chroot apt-get -y install gnupg
-	mkdir --mode=0600 chroot/tmp/gnupg-home
-	cat snappy-dev-image.asc | $(ENV) chroot chroot gpg-agent --homedir /tmp/gnupg-home --daemon apt-key add -
+	cp snappy-dev-image.asc chroot/etc/apt/trusted.gpg.d/
 	# Copy in the sources.list just before modifying it (on build envs this already
 	# seems to be present, otherwise those would not fail).
 	cp /etc/apt/sources.list chroot/etc/apt/sources.list

More information about the kernel-team mailing list