From a4f12d4d623539dba29672ec58e55126aea5d302 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Fri, 22 May 2020 14:09:59 -0400
Subject: [PATCH] Delete release key from /etc/apt/trusted.gpg

Use /etc/apt/trusted.gpg.d/securedrop-keyring.gpg, provided by the securedrop-keyring package.
---
 securedrop-keyring/debian/preinst | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 securedrop-keyring/debian/preinst

diff --git a/securedrop-keyring/debian/preinst b/securedrop-keyring/debian/preinst
new file mode 100644
index 00000000..ed2b31ea
--- /dev/null
+++ b/securedrop-keyring/debian/preinst
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+# Solution adapted from DKG's work on `deb.torproject.org-keyring` and
+# the securedrop core keyring package.
+# In SecureDrop Workstation versions before 0.3.0, the salt provisioning
+# logic uses pkgrepo.managed, which writes the key to `/etc/apt/trusted.gpg`.
+# It's cleaner to use the trusted.gpg.d subdirectory, since we can
+# update that trivially in future versions of the keyring package.
+#
+# Therefore let's clean up prior versions of the key installed
+# to the general apt keyring, to ensure we only have one signing key
+# installed for authenticating securedrop-related packages.
+
+if [ -e /etc/apt/trusted.gpg ] && which gpg >/dev/null; then
+   (
+   h="$(mktemp -d)"
+   trap "rm -rf '$h'" EXIT
+
+   if gpg --homedir="$h" \
+          --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
+          --list-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 > /dev/null 2>&1 ; then
+      gpg --homedir="$h" \
+          --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
+          --no-auto-check-trustdb \
+          --delete-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 || true
+   fi
+   )
+fi
+
+#DEBHELPER#
+