How to circumvent "apt-key output should not be parsed"?
GnupgAptGnupg Problem Overview
I'm automating my Docker installation. Something like this:
if apt-key fingerprint 0EBFCD88 | grep "Key fingerprint = 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88" > /dev/null
then
# proceed
fi
This worked fine in older versions of apt-key, but recent versions have two issues:
-
A different output format: I can hack around that
-
A warning:
Warning: apt-key output should not be parsed (stdout is not a terminal)
Clearly, I can hack around this as well, just redirect stderr to /dev/null. It just made me curious:
How do these fine folks suggest I verify my key fingerprints? Or am I getting this fundamentally wrong by wanting to automate it, does that defeat the point? (I think not, since I still manually lifted the expected fingerprint from the website, but feel free to tell me otherwise...)
Gnupg Solutions
Solution 1 - Gnupg
From apt-key sources, you can set APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE to a non-empty value to disable this warning.
You can also use "grep -q" so you don't need to redirect stdout in /dev/null either.
Solution 2 - Gnupg
To reply to the part "am I getting this fundamentally wrong":
I believe that possibly yes. That's the reason of the warning.
You don't write what you do exactly, but one thing to realize is:
The keys do have some expiration so after some time the fingerprint in your script will become obsolete and possibly it will not behave as expected anymore.
Once the repository and its key is installed so the system somehow upgrades the key automatically but when the repository is initially added so an up-to-date key has to be provided. In my scripts automating the installation I do not test whether a key was already added but I test whether the repository was already added. If the repository was not added, so I add it together with an up-to-date key that I download always from its URL.
Solution 3 - Gnupg
I'm modifying the command itself to use batch mode so it will not complain about stdout. For the bigger apt-key this will work, quickly tested on debian:
sed -i "s%{GPG_EXE}\")' --%{GPG_EXE}\")' --batch --%g" /usr/bin/apt-key
While for the smaller apt-key this could work (untested as I can't recall exactly where I have seen this simpler variant):
sed -i 's%GPG_CMD="gpg %GPG_CMD="gpg --batch %g' /usr/bin/apt-key
You need privileges to write to the /usr/bin/apt-key so either run as root or use sudo
Solution 4 - Gnupg
This works
apt-key exportall > test.key 2>/dev/null
or
apt-key exportall 2>&1 | grep -v '^Warning' > test.key
Solution 5 - Gnupg
Or also you can do like this
RUN curl -sS http://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - &&\
echo "deb http://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
instead of
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list