You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We will need to confirm the use of trusted.gpg.d keys on any installation of grafana as the apt-key is deprecated and creates a security breach for the same keys to be used in other repositories.
The way apt-key works is by adding the keys to the /etc/apt/trusted.gpg file. The apt package manager trusts the keys inside this file. However, it was discovered to be a potential security issue. Your system trusts those keys completely, not just for the packages you added them for. Imagine that you added keys to repository A to get package AA and to repo B to get package BB. Your system will gladly accept package BB signed by the key of repo A. It cannot relate the keys to their respective packages. Hence, there is a potential for a security breach.
Ubuntu doesn’t want you to add all the signature keys in the single /etc/apt/trusted.gpg file. It suggests using a separate file that are located in the /etc/apt/trusted.gpg.d directory.
We will need to confirm the use of trusted.gpg.d keys on any installation of grafana as the apt-key is deprecated and creates a security breach for the same keys to be used in other repositories.
The way apt-key works is by adding the keys to the /etc/apt/trusted.gpg file. The apt package manager trusts the keys inside this file. However, it was discovered to be a potential security issue. Your system trusts those keys completely, not just for the packages you added them for. Imagine that you added keys to repository A to get package AA and to repo B to get package BB. Your system will gladly accept package BB signed by the key of repo A. It cannot relate the keys to their respective packages. Hence, there is a potential for a security breach.
Ubuntu doesn’t want you to add all the signature keys in the single /etc/apt/trusted.gpg file. It suggests using a separate file that are located in the /etc/apt/trusted.gpg.d directory.
A good resource - look at step 3 for installation guidance for trusted.gpd.d keys. (The other steps are not applicable and the same can be accomplished other better ways) :
https://www.rosehosting.com/blog/how-to-install-grafana-on-ubuntu-22-04/
The text was updated successfully, but these errors were encountered: