Hey guys,
on Debian I ran into an APT error and recognised Grafana Labs update regarding CircleCI security updates | Grafana Labs.
To update the key, I first did the steps I always do, which basically match the steps documented here: https://apt.grafana.com/
- Download the
.key
- Convert it via
gpg --dearmor
into a.gpg
However, APT reports:
The key(s) in the keyring /path/to/grafana.gpg are ignored as the file has an unsupported filetype.
I guess with apt-key add
(deprecated) it would result in the same invalid key.
What does work, is leaving the .key
file untouched and add it like that as signing key to the repo via
[signed-by=/path/to/grafana.key]
as documented in the blog post itself.
I never saw a case where the armored .key
is used for APT authentication. Investigating why --dearmor
does not create a valid key, I recognised that a second contained “revocation certificate” in the key is causing the issue. Removing it allows gpg --dearmor
to create a valid .gpg
key.
I’m not sure whether there is a specific reason for the way this is all done. Revoking a key in APT, AFAIK, cannot be done that way but simply requires to apt-key del
the key or remove/replace the file. To preserve the common method and still documented way of adding APT keys, I suggest to remove the revocation certificate from the .key
file and in case add it with a dedicated file, if this has use in other cases than APT.