Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Ubuntu PPA signing keys used by the build environment initialization script so APT can continue to authenticate packages from the configured PPAs.
Changes:
- Update the git-core PPA key ID used to fetch the signing key from keyserver.ubuntu.com.
- Update the longsleep/golang-backports PPA key ID used to fetch the signing key from keyserver.ubuntu.com.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| cat <<-EOF >"/etc/apt/sources.list.d/git-core-ubuntu-ppa.list" | ||
| deb https://ppa.launchpadcontent.net/git-core/ppa/ubuntu $UBUNTU_CODENAME main | ||
| deb-src https://ppa.launchpadcontent.net/git-core/ppa/ubuntu $UBUNTU_CODENAME main | ||
| EOF | ||
| curl -fsL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xe1dd270288b4e6030699e45fa1715d88e1df1f24" -o "/etc/apt/trusted.gpg.d/git-core-ubuntu-ppa.asc" | ||
| curl -fsL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf911ab184317630c59970973e363c90f8f1b6217" -o "/etc/apt/trusted.gpg.d/git-core-ubuntu-ppa.asc" |
There was a problem hiding this comment.
These PPA keys are still being installed into /etc/apt/trusted.gpg.d, which makes them trusted for all APT sources. Since this script already uses per-repo keyrings via signed-by (e.g., GitHub CLI), consider moving this key into /etc/apt/keyrings and updating the corresponding .list entry to use signed-by=... so the trust is scoped to just the git-core PPA. Also, after updating the git-core key, please re-check whether the Acquire::AllowInsecureRepositories workaround later in this function is still required on trixie; leaving it enabled unnecessarily weakens signature verification globally.
| cat <<-EOF >"/etc/apt/sources.list.d/longsleep-ubuntu-golang-backports-$UBUNTU_CODENAME.list" | ||
| deb https://ppa.launchpadcontent.net/longsleep/golang-backports/ubuntu $UBUNTU_CODENAME main | ||
| deb-src https://ppa.launchpadcontent.net/longsleep/golang-backports/ubuntu $UBUNTU_CODENAME main | ||
| EOF | ||
| curl -fsL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x52b59b1571a79dbc054901c0f6bc817356a3d45e" -o "/etc/apt/trusted.gpg.d/longsleep-ubuntu-golang-backports-$UBUNTU_CODENAME.asc" | ||
| curl -fsL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x876b22ba887ca91614b5323fc631127f87fa12d1" -o "/etc/apt/trusted.gpg.d/longsleep-ubuntu-golang-backports-$UBUNTU_CODENAME.asc" |
There was a problem hiding this comment.
Same concern as above: placing the golang-backports PPA key in /etc/apt/trusted.gpg.d globally trusts this key for all repositories. Prefer storing it under /etc/apt/keyrings and referencing it from the longsleep-ubuntu-golang-backports-*.list file with a signed-by=... option to scope trust to this PPA only.
No description provided.