Don't use gpg in Debian instruction#4610
Conversation
It's not really necessary, since apt can work with the keyring file hosted on cli.github.com.
|
Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message. |
mislav
left a comment
There was a problem hiding this comment.
Thanks for letting us know!
|
|
||
| ```bash | ||
| curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg | ||
| curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg |
There was a problem hiding this comment.
I'm not familiar with dd. Is it equally available on Ubuntu and Raspberry Pi OS?
There was a problem hiding this comment.
It's part of coreutils, so it should be available on all Debian derivatives. You could probably just use cat, but then the command gets a bit ugly:
curl [...] | sudo sh -c 'cat > /usr/share/keyrings/githubcli-archive-keyring.gpg'
or even tee, like in the line below, but I'm not sure how tee handles binary data, so I went with dd. (Inspired by this post: https://unix.stackexchange.com/a/367709/498490)
There was a problem hiding this comment.
Ah, I see now. gpg --dearmor would change the incoming stream if it was encoded as ASCII, but it was a binary key to start with, so gpg doesn't do anything but save the stream to a file. dd of= does the same.
Since curl -o <file> can save to a file, we don't have to pipe to any extra utility. Could you switch to using that?
There was a problem hiding this comment.
Interesting. I was under the impression that all those curl <something> | sudo [...] were written in that way so that security-minded administrators could run the networking tool (curl) as a less-privileged user as the file writing operation... But maybe they are just written like that to avoid nested shells (sudo -c "[...] > file"). I don't mind either way, your call!
There was a problem hiding this comment.
Ah fair point running network calls without elevated permissions. I hadn't thought of that. Then maybe the dd approach is fine. @vilmibm what's your call?
There was a problem hiding this comment.
I'm fine with dd, this makes sense to me. I was cargo coding the gpg invocation.
|
|
||
| ```bash | ||
| curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg | ||
| curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg |
There was a problem hiding this comment.
Ah, I see now. gpg --dearmor would change the incoming stream if it was encoded as ASCII, but it was a binary key to start with, so gpg doesn't do anything but save the stream to a file. dd of= does the same.
Since curl -o <file> can save to a file, we don't have to pipe to any extra utility. Could you switch to using that?
It's not really necessary, since apt can work with the keyring file
hosted on cli.github.com.