Better way - Leftover tor gpg signing key in the local user's gpg keychain in the documentation
Hi,
on this page:
https://www.torproject.org/docs/debian.html.en#ubuntu
You give these following two instructions for downloading the gpg signing key and then using it for apt. This leaves the tor gpg signing key in the local user's gpg keychain.
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
However, apt-key could do this in one command:
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 886DDD89
Now, I do not know if you have a reason to use two separate lines, maybe you do not trust apt-key being run with sudo to fetch keys from a keyserver.
If that is the case then you could tell users that they can remove the tor signing key from the local keychain, since it is not used there.
gpg --delete-key 0x886DDD89
You could also fetch the key with wget and pipe it to apt-key directly, which might be the cleanest solution of all:
wget -q 'http://keys.gnupg.net/pks/lookup?op=get&search=0x886DDD89' -O- | sudo apt-key add -
This would also avoid the leftover tor gpg signing key in any user's local gpg keychain.
BR
Trac:
Username: daffyduck