[GH-ISSUE #1488] Wrong path for gpg-key at Debian repository #1050

New issue

Closed

opened 2026-05-07 00:29:51 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented 2026-05-07 00:29:51 +02:00

Owner

Copy link

Originally created by @fredl99 on GitHub (Nov 17, 2025).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1488

Not critical, but...
The path for the key should be /usr/share/keyrings/ instead of /etc/apt/keyrings/

https://archive.ntfy.sh/apt/

Originally created by @fredl99 on GitHub (Nov 17, 2025). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1488 Not critical, but... The path for the key should be `/usr/share/keyrings/` instead of `/etc/apt/keyrings/` https://archive.ntfy.sh/apt/

BreizhHardware closed this issue 2026-05-07 00:29:51 +02:00

BreizhHardware commented 2026-05-07 00:29:52 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Nov 17, 2025):

Stuff in /usr/share and /usr/lib is typically only for package-shipped configs, not manually changed configs. So I don't think the keyrings belong there.

Examples:

• https://docs.docker.com/engine/install/ubuntu/
• https://github.com/cli/cli/blob/trunk/docs/install_linux.md#debian

From man sources.list:

The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator.

       •   Signed-By (signed-by) is an option to require a repository to pass apt-secure(8) verification with a certain set of keys rather than all trusted keys apt has
           configured. It is specified as a list of absolute paths to keyring files (have to be accessible and readable for the _apt system user, so ensure everyone has
           read-permissions on the file) and fingerprints of keys to select from these keyrings. The recommended locations for keyrings are /usr/share/keyrings for keyrings
           managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator. If no keyring files are specified the default is the trusted.gpg keyring and all
           keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If no fingerprint is specified all keys in the keyrings are selected. A fingerprint will accept also
           all signatures by a subkey of this key, if this isn't desired an exclamation mark (!) can be appended to the fingerprint to disable this behaviour. The option defaults
           to the value of the option with the same name if set in the previously acquired Release file of this repository (only fingerprints can be specified there through).
           Otherwise all keys in the trusted keyrings are considered valid signers for this repository. The option may also be set directly to an embedded GPG public key block.
           Special care is needed to encode the empty line with leading spaces and ".":

<!-- gh-comment-id:3539692195 --> @binwiederhier commented on GitHub (Nov 17, 2025): Stuff in /usr/share and /usr/lib is typically only for package-shipped configs, not manually changed configs. So I don't think the keyrings belong there. Examples: - https://docs.docker.com/engine/install/ubuntu/ - https://github.com/cli/cli/blob/trunk/docs/install_linux.md#debian From `man sources.list`: > The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator. ``` • Signed-By (signed-by) is an option to require a repository to pass apt-secure(8) verification with a certain set of keys rather than all trusted keys apt has configured. It is specified as a list of absolute paths to keyring files (have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file) and fingerprints of keys to select from these keyrings. The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator. If no keyring files are specified the default is the trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If no fingerprint is specified all keys in the keyrings are selected. A fingerprint will accept also all signatures by a subkey of this key, if this isn't desired an exclamation mark (!) can be appended to the fingerprint to disable this behaviour. The option defaults to the value of the option with the same name if set in the previously acquired Release file of this repository (only fingerprints can be specified there through). Otherwise all keys in the trusted keyrings are considered valid signers for this repository. The option may also be set directly to an embedded GPG public key block. Special care is needed to encode the empty line with leading spaces and ".": ```

BreizhHardware referenced this issue 2026-05-07 01:02:24 +02:00

[PR #1050] [MERGED] Message size limit+delay limit #1500

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#1050

No description provided.