dl.yarnpkg.com: Provide GPG key as separate package via APT repository

[r4co0n]

This is not regarding a particular branch of Yarn, but the APT packages provided by you via https://dl.yarnpkg.com/debian .

Recently, the GPG key used to sign to Yarn APT packages was changed, because the old key in use would have expired soon. This made many people following the official installation documentation for installation on Debian-based distributions suddenly getting an error when running apt-get update, a task that is automated at many places, as far as I know Ubuntu ships with a mechanism that triggers the related error unattendedly out-of-the-box. Many related bugs were reported and rightly closed, I followed #6885 .

This would not be a problem at all if the team responsible for packaging the Yarn APT packages decided on also shipping the GPG key used to sign the repository, via a DEB package, as the overwhelming majority of well-known APT repositories have done for quite some time.

Please have a look at debian-archive-keyring's debian folder to see how this is done upstream.

This bug report wants to request a packaging change for APT, resulting in an additional package being shipped, containing all trusted APT GPG keys. Allowing a transition period, this will make everyone be able to continue to use the official repository without further manual intervention.

If you want help having any of this explained or need help getting a demo of this to work reliably, I am looking forward to your requests and will do my best to welcome anyone following up.

[arcanis]

Thanks for the suggestion!

Ping @Daniel15?

[Daniel15]

This is a good idea! I saw it discussed in #6885, thanks for creating a separate issue to track it. I'll try to get to it some time.

as the overwhelming majority of well-known APT repositories have done for quite some time.

Do most repositories do this? Just recently I had to manually update the key for one of the ones I use (can't remember which one, unfortunately) so it seems like some of them still do it manually.

[r4co0n]

Upon doing some digging, it seems I was kind of bold. I only found packager.io right now, but it feels I'm missing something obvious. Google seems to have switched to packager.io for most of their packaging, but they still don't ship Chrome with a key package. Vagrant and UniFi repositories are also apparently unaware of this easy step.
What I got (I may update if I find more):

• https://packager.io - These guys seem to make a living by providing distribution-specific packaging for many well-known Linux applications. They ship key packages with all their application-specific APT repositories afaict, see for example this site for installing Gogs from upstream on Debian 9 stretch.