One of the issues on Debian/Ubuntu is the following:
- People probably followed https://support.plex.tv/articles/235974187-enable-repository-updating-for-supported-linux-server-distributions/ adding the key to the legacy
/etc/apt/trusted.gpgor downloaded it to/etc/apt/trusted.gpg.d/plex.gpgor anywhere else. - The DEB package
postinstruns this code:
So it downloads the key again, and overwrites the path to the key which shall be considered to sign the list.# Switch repo definition to using the GPG key if not already done. HostArch="$(dpkg --print-architecture)" wget -q -O - https://downloads.plex.tv/plex-keys/PlexSign.key | gpg --yes --dearmor -o /usr/share/keyrings/plexmediaserver.gpg Result=$? if [ $Result -eq 0 ]; then sed -i -e "s+deb https://downloads.plex.tv+deb [arch=$HostArch signed-by=/usr/share/keyrings/plexmediaserver.gpg] https://downloads.plex.tv+" \ /etc/apt/sources.list.d/plexmediaserver.list else Output "WARNING: Unable to install Plex GPG signing key in /usr/share/keyrings/plexmediaserver.gpg" Warnings=$((Warnings + 1)) fi - Now the key got rotated, which is very common, so people see the APT warning which is also common.
- People do the same step as before to update the key, which however has no effect since the
postinstchanged the valid path. And of course the package cannot be upgraded via APT as long as there is not valid key. - People need to see that
/etc/apt/sources.list.d/plexmediaserver.listwas altered with a different key path, and need to manually update this key (or remove/change thesigned-bysection), before the upgrade can work. And the upgrade will unnecessarily download and rewrite the list again.
I understand that downloading the key and writing the plexmediaserver.list via postinst is meant to be a convenience step, so people who manually download and install the DEB package will get upgrades via APT from that point on. But it breaks setups where admins downloaded the key and write the plexmediaserver.list manually, following Plex’s own arcticle about that. Also if a different file name was chosen, it will not only cause duplicate keys, but also duplicate lists, which cause more APT warnings. And when adjusting own scripts/schedules to use same key and list path/content as the postinst does, it does not allow DEB822 format, i.e. warnings in Debian Trixie and recent Ubuntu audits with a suggestion to run apt modernize-sources, and direct APT warnings on Debian testing (maybe recent Ubuntu as well). This again leads to duplicates from next Plex package upgrade on.
What I want to say => remove that code block from postinst. It is very uncommon, and IMO causes more issues than it helps. Instead, the instructions to setup the APT list could be added more prominently to the download section, to be the preferred method instead of manually downloading the DEB.
EDIT: A common transparent alternative would be a key(ring) package, similar to debian-archive-keyring. Using that, it would be obvious for admins which signed-by path to use, and auto-rotation is possible as long as old keys remain valid for a transition period.
