docs: Use recommended replacement for deprecated apt-key command

[uscinski]

Section on Trusted Execution Environments uses the apt-key command, which is deprecated and will be removed in future Ubuntu and Debian versions. Here we use recommended commands and directory locations to add a trusted repository.

[netlify]

✅ Deploy Preview for oasisprotocol-docs ready!

Name	Link
🔨 Latest commit	4f02859
🔍 Latest deploy log	https://app.netlify.com/sites/oasisprotocol-docs/deploys/65e9da15051e880008eb6621
😎 Deploy Preview	https://deploy-preview-755--oasisprotocol-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[kostko]

Ew, this is more complicated than before so more likely something will go wrong :(

[kostko]

But I guess this can't be avoided?

[uscinski]

Ew, this is more complicated than before so more likely something will go wrong :(

This is indeed more complex. It follows the standardized procedure on how to configure an unofficial (i.e., a third-party) APT repository on a machine. From the proposed standard it differs in that it does not perform standard pinning, which would make the entire procedure even more verbose. For example, a similar procedure can be spotted in the official Docker documentation.

But I guess this can't be avoided?

It can be avoided. A drop-in replacement for the apt-key add command is still a one-liner. Let's show this on an example from the man pages.

With apt-key:

wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -

Without apt-key, using ASCII armored key:

wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc

Without apt-key, using key in the binary OpenGPG format:

wget -qO- https://myrepo.example/myrepo.gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/myrepo.gpg

To keep it simple, we can go with the last example.

However, placing keys in /etc/apt/trusted.gpg.d still results in a warning on recent Debian systems, because APT completely and unconditionally trusts all the keys stored there, and would therefore accept all the packages signed by any of the stored keys, regardless of a repository the packages (or the key) originate from. To limit the scope of keys from the unofficial repositories, it is therefore recommended to store them into /etc/apt/keyrings, which is a directory that might not exist on a system, and refer to them with the signed-by directive in the respective sources.list entries. There, for complex entries it is recommended to use the "Deb822" file format.

Edit: @kostko Using the same assumptions as before, I have now simplified the code.