How to change LFS258 Lab 3.1 to account for 'apt-key' deprecation

andrew.nichols

The March 1, 2023 version of the LFS258 lab manual includes some steps in Lab 3.1 (pg. 9) that use 'apt-key', which has been deprecated--specifically, steps 14 and 15. The deprecation causes certain warnings to appear, such as "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))." The command will no longer be used after Ubuntu 22.04 due to security concerns.

I've done some research, and it seems the suggestion in the warning is both unclear and would do nothing to reduce the security risk that caused the apt-key deprecation in the first place. References are included at the end of this post.

After some digging, it appears to me (but I could be wrong) that you have already incorporated the best-practice work-around for the apt-key deprecation in step 12 of the same lab (pg. 8), where you used certain commands to import a GPG key for use in creating a Docker repo and installing containerd. These commands are executed as root:

sudo mkdir -p /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/ubuntu \

  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

So I adapted them for use in setting-up the Kubernetes repo to enable the import of kubeadm, kubelet, and kubectl in steps 14 and 15 without the use of 'apt-key' (except in the filename included in the source URL):

The original commands:

vim /etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -

The new commands (you still need the '/etc/apt/keyrings' directory):

curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes.gpg

echo  \ 
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/kubernetes.gpg] \
  http://apt.kubernetes.io/ \
  kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list > /dev/null

I have used these commands, and the apt-key deprecation warnings have gone away. A quick check of the 'apt-key.gpg' key using 'file apt-key.gpg' told me the key was of type "OpenPGP Public Key Version 4, Created Sat May 21 09:50:12 2022, RSA (Encrypt or Sign, 2048 bits); User ID; Signature; OpenPGP Certificate".

Is this a suitable work-around, or does it not fix the security vulnerabilities that caused the apt-key deprecation in the first place? If they do not, then what changes should be made to Lab 3.1 to completely remove the use of 'apt-key'?

Thanks!

apt-key - Deprecated APT key management utility (not helpful)

What commands (exactly) should replace the deprecated apt-key? (helpful)

apt-key Is Deprecated. How To Add OpenPGP Repository Signing Keys Without It On Debian, Ubuntu, Linux Mint, Pop!_OS, Etc.

chrispokorni

Hi @andrew.nichols

Thank you for the updated installation steps.

The installation instructions were in sync with the official installation guide at the time of the latest course update. As the project adopts industry best practices they will be incorporated into the course material as well.

Regards,
-Chris