Signal-desktop: Linux install instructions use deprecated `apt-key`

Created on 9 Jan 2021  路  9Comments  路  Source: signalapp/Signal-Desktop
  • [X] I have searched open and closed issues for duplicates

Bug Description


The Linux install instructions on https://signal.org/en/download use apt-key to add the gpg key to the list of trusted keys. This step prints Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Relevant sections of the man page (man apt-key):

apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.

Steps to Reproduce


Quote from Linux install instructions on https://signal.org/en/download:

# 1. Install our official public software signing key
wget -O- https://updates.signal.org/desktop/apt/keys.asc |\
  sudo apt-key add -

Actual Result:


Works as expected, but writes the aforementioned warning to stderr.

Expected Result:


No warning

Platform Info

Signal Version:


None (issue is independent from Signal version and appears before installing Signal Desktop)

Operating System:


Ubuntu 21.04 Hirsute Hippo (Development Branch)

Bug
Source
picture NMertsch
👍4

Most helpful comment

@EvanHahn-Signal instead of:

wget -O- https://updates.signal.org/desktop/apt/keys.asc |\
  sudo apt-key add -
echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" |  sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

It should be:

wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > updates.signal.gpg
sudo install -o root -g root -m 644 updates.signal.gpg /etc/apt/trusted.gpg.d/
echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" |  sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

I tested and it works. You can also check, for example, vscode has almost identical instructions:
https://code.visualstudio.com/docs/setup/linux

picture staticdev on 12 Jan 2021
👍4 👎1

All 9 comments

just some added context, this is also true in Ubuntu 20.10 (Groovy Gorilla), so it's not only affecting people running a dev branch of Ubuntu. All other info in the original bug report is exactly the same on 20.10.

jordanorelli picture jordanorelli on 9 Jan 2021

@scottnonnenberg-signal I tried to make a PR to update the instructions but in is not on this repo. Can you update the website?

staticdev picture staticdev on 10 Jan 2021

@staticdev I can give it a shot. What are the new instructions? (I haven't had time to investigate this.)

EvanHahn-Signal picture EvanHahn-Signal on 11 Jan 2021

@EvanHahn-Signal instead of:

wget -O- https://updates.signal.org/desktop/apt/keys.asc |\
  sudo apt-key add -
echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" |  sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

It should be:

wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > updates.signal.gpg
sudo install -o root -g root -m 644 updates.signal.gpg /etc/apt/trusted.gpg.d/
echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" |  sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

I tested and it works. You can also check, for example, vscode has almost identical instructions:
https://code.visualstudio.com/docs/setup/linux

staticdev picture staticdev on 12 Jan 2021
👍4 👎1

i tried installing on ubuntu 20.10 and it hasn't been able to get gpg valid key.
With the above fixed 3-line commands it is smooth and working. Thanks @staticdev !

mareknovotny picture mareknovotny on 13 Jan 2021

Thanks for reporting. We'll address this in our installation instructions.

EvanHahn-Signal picture EvanHahn-Signal on 13 Jan 2021

The above "fix" is a mere workaround and lets intact the deprecative aspect of apt-key. DO NOT USE!

UPDATE2: Logix (linuxuprising.com) responded to my suggestion to write clearly on this issue:
https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
UPDATE1: read my post
https://zebnemeth.wordpress.com/2021/01/15/install-signal-desktop-using-gpg/

This message is also important for @EvanHahn-Signal
@staticdev I checked your commands agains Askeli's description of how and why to go about not using apt-key anymore: https://askubuntu.com/a/1307181/1149075
and it does NOT check out! You install something into the etc/apt/trusted.gpg.d/ where it does not belong!

https://wiki.debian.org/DebianRepository/UseThirdParty

ZebNemeth picture ZebNemeth on 15 Jan 2021

Thanks for reporting. We'll address this in our installation instructions.

@EvanHahn-Signal , you can read this excellent article to help consider how to future-proof Signal's installation security: https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html

ZebNemeth picture ZebNemeth on 21 Jan 2021

This has been updated on signal.org/download. Thanks for the report!

EvanHahn-Signal picture EvanHahn-Signal on 4 Mar 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gesus14 picture gesus14  路  3Comments
jeremymasters picture jeremymasters  路  3Comments
muellermartin picture muellermartin  路  3Comments
mawed picture mawed  路  3Comments
lokesh-krishna picture lokesh-krishna  路  3Comments