I have a 3rd party software that is installed from their own repository and requires a custom key configured. Instead of adding their key to the global keyring, how do I correctly setup the key to be used only for that repository?
Typical error message would look like this:
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D208507CA14F4FCA
The keyserver.ubuntu.com can be used to retrieve the key, but you must manually confirm that the key is correct before proceeding:
sudo -H gpg --keyserver keyserver.ubuntu.com --recv-keys D208507CA14F4FCA
This command puts the key in your global keyring, and is an intermediate step to export it. The key will be removed at a later step.
-H is needed to handle permissions issue regarding sudo and the HOME directory
Next is a sequence of commands to export the keyring
sudo -H gpg --export --output erlang.gpg D208507CA14F4FCA
mkdir -p /usr/local/share/keyrings
mv ./erlang.gpg /usr/local/share/keyrings/
And then remove the key from the keyring
sudo -H gpg --batch --yes --delete-key D208507CA14F4FCA
Create a subdirectory for sources.list and add the new config to it:
mkdir -p /etc/apt/sources.list.d
echo "deb [signed-by=/usr/local/share/keyrings/erlang.gpg] https://packages.erlang-solutions.com/ubuntu $(lsb_release -s -c) contrib" > /etc/apt/sources.list.d/erlang.list
Note that add-apt-repository doesn't currently support the [signed-by] option
This process sets up the key for just that repository, limited the risk of a compromised 3rd party key from affecting unrelated repositories.