Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VS Code APT sources.list: add signed-by field and remove unnecessary architectures #238697

Open
wcbing opened this issue Jan 24, 2025 · 4 comments · May be fixed by #239390
Open

VS Code APT sources.list: add signed-by field and remove unnecessary architectures #238697

wcbing opened this issue Jan 24, 2025 · 4 comments · May be fixed by #239390
Assignees
@deepak1556 @rzhao271
Labels
deb Issues related to the deb package debt Code quality issues linux Issues with VS Code on Linux packaging Issues with the package config or distribution
Milestone
Backlog

Comments

@wcbing
Copy link

wcbing commented Jan 24, 2025

Does this issue occur when all extensions are disabled?: Yes

  • VS Code Version: 1.96.4
  • OS Version: Debian sid

Steps to Reproduce:

VS Code's APT sources.list has two problems. Now it is:

~> cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] https://packages.microsoft.com/repos/code stable main

Problem 1: Missing signed-by field

The recent APT 2.9.24 update introduced a change:

/etc/apt/trusted.gpg is no longer used as a source of signers.
Sources without Signed-By are fully deprecated, and therefore /etc/apt/trusted.gpg.d is deprecated.

This has led to warnings when running apt update, such as:

Notice: Missing Signed-By in the sources.list(5) entry for 'https://packages.microsoft.com/repos/edge'
Notice: Missing Signed-By in the sources.list(5) entry for 'https://packages.microsoft.com/repos/code'
Notice: Consider migrating all sources.list(5) entries to the deb822 .sources format
Notice: The deb822 .sources format supports both embedded as well as external OpenPGP keys
Notice: See apt-secure(7) for best practices in configuring repository signing.

Problem 2: Unnecessary architectures

The current configuration includes three architectures: amd64, arm64, and armhf. This results in downloading unnecessary index files for architectures that are not in use, wasting bandwidth and server resources. Should these be removed?

Solution

According to the Debian Wiki, the microsoft.gpg key should be moved from /etc/apt/trusted.gpg.d to /usr/share/keyrings, and then you can choose one of the following two solutions:

  1. Update /etc/apt/sources.list.d/vscode.list to the following:
deb [signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/code stable main
  1. Completely remove /etc/apt/sources.list.d/vscode.list and switch to the DEB822 format. For more information on the DEB822 format, refer to source.list(5). The DEB822 format also allows embedding the public key within the source list file.
@rzhao271 rzhao271 added debt Code quality issues deb Issues related to the deb package labels Jan 24, 2025
@rzhao271 rzhao271 added this to the Backlog milestone Jan 24, 2025
@rzhao271 rzhao271 added linux Issues with VS Code on Linux packaging Issues with the package config or distribution labels Jan 24, 2025
@bhack
Copy link

bhack commented Jan 30, 2025

Also apt update is going to propose to modernize it with apt modernize-sources. So I don't know if it is better to adopt directly the new source format.

@wcbing
Copy link
Author

wcbing commented Jan 30, 2025

The two formats are actually the same, and the important thing is the "Signed-By" field.

The apt modernize-sources can not add Signed-By if there is no signed-by before, the results of direct conversion is

Types: deb
URIs: https://packages.microsoft.com/repos/code/
Suites: stable
Components: main 
Signed-By:

So, they still need to move the microsoft.gpg key from /etc/apt/trusted.gpg.d to /usr/share/keyrings and add signed-by field.

Or, use the embedding public key like this:

Types: deb
URIs: https://packages.microsoft.com/repos/code/
Suites: stable
Components: main 
Signed-By:
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 .
 mQENBFYxWIwBCADAKoZhZlJxGNGWzqV+1OG1xiQeoowKhssGAKvd+buXCGISZJwT
 LXZqIcIiLP7pqdcZWtE9bSc7yBY2MalDp9Liu0KekywQ6VVX1T72NPf5Ev6x6DLV
 7aVWsCzUAF+eb7DC9fPuFLEdxmOEYoPjzrQ7cCnSV4JQxAqhU4T6OjbvRazGl3ag
 OeizPXmRljMtUUttHQZnRhtlzkmwIrUivbfFPD+fEoHJ1+uIdfOzZX8/oKHKLe2j
 H632kvsNzJFlROVvGLYAk2WRcLu+RjjggixhwiB+Mu/A8Tf4V6b+YppS44q8EvVr
 M+QvY7LNSOffSO6Slsy9oisGTdfE39nC7pVRABEBAAG0N01pY3Jvc29mdCAoUmVs
 ZWFzZSBzaWduaW5nKSA8Z3Bnc2VjdXJpdHlAbWljcm9zb2Z0LmNvbT6JATUEEwEC
 AB8FAlYxWIwCGwMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJEOs+lK2+EinPGpsH
 /32vKy29Hg51H9dfFJMx0/a/F+5vKeCeVqimvyTM04C+XENNuSbYZ3eRPHGHFLqe
 MNGxsfb7C7ZxEeW7J/vSzRgHxm7ZvESisUYRFq2sgkJ+HFERNrqfci45bdhmrUsy
 7SWw9ybxdFOkuQoyKD3tBmiGfONQMlBaOMWdAsic965rvJsd5zYaZZFI1UwTkFXV
 KJt3bp3Ngn1vEYXwijGTa+FXz6GLHueJwF0I7ug34DgUkAFvAs8Hacr2DRYxL5RJ
 XdNgj4Jd2/g6T9InmWT0hASljur+dJnzNiNCkbn9KbX7J/qK1IbR8y560yRmFsU+
 NdCFTW7wY0Fb1fWJ+/KTsC4=
 =J6gs
 -----END PGP PUBLIC KEY BLOCK-----

@bhack
Copy link

bhack commented Jan 30, 2025
edited
Loading

The two formats are actually the same, and the important thing is the "Signed-By" field.

Yes but what i meant is that there is still a spammy message if we don't use the other format also if we add signed-by

@wcbing
Copy link
Author

wcbing commented Jan 30, 2025

Oh, you are right.

I noticed the APT updated a day ago not only added this modernize-sources subcommand, but also this new Notice.

Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so.

@bhack bhack linked a pull request Feb 1, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@deepak1556 deepak1556

@rzhao271 rzhao271

Labels
deb Issues related to the deb package debt Code quality issues linux Issues with VS Code on Linux packaging Issues with the package config or distribution
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

Add to new source format and the mandatory signed-by bhack/vscode
5 participants
@deepak1556 @bhack @TylerLeonhardt @rzhao271 @wcbing