Delete release key from /etc/apt/trusted.gpg

Use /etc/apt/trusted.gpg.d/securedrop-keyring.gpg, provided by the securedrop-keyring package.

securedrop-keyring/debian/preinst

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+# Solution adapted from DKG's work on `deb.torproject.org-keyring` and
+# the securedrop core keyring package.
+# In SecureDrop Workstation versions before 0.3.0, the salt provisioning
+# logic uses pkgrepo.managed, which writes the key to `/etc/apt/trusted.gpg`.
+# It's cleaner to use the trusted.gpg.d subdirectory, since we can
+# update that trivially in future versions of the keyring package.
+#
+# Therefore let's clean up prior versions of the key installed
+# to the general apt keyring, to ensure we only have one signing key
+# installed for authenticating securedrop-related packages.
+
+if [ -e /etc/apt/trusted.gpg ] && which gpg >/dev/null; then
+   (
+   h="$(mktemp -d)"
+   trap "rm -rf '$h'" EXIT
+
+   if gpg --homedir="$h" \
+          --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
+          --list-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 > /dev/null 2>&1 ; then
+      gpg --homedir="$h" \
+          --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
+          --no-auto-check-trustdb \
+          --delete-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 || true
+   fi
+   )
+fi
+
+#DEBHELPER#
+