What is the scope of a public key added by apt-key?

Question

I was wondering whether a public key added by apt-key is

• per repository (all packages in a repository are authenticated with the same public key) or
• per package (different packages in the same repository may be authenticated with different public keys).

In other words, what does a public key authenticate: a package, a repository, or something else?

The manpage of apt-key says

apt-key is used to manage the list of keys used by apt to authenticate packages. Packages which have been authenticated using these keys will be considered trusted.

... It is critical that keys added manually via apt-key are verified to belong to the owner of the repositories they claim to be for.

For example, I was wondering why there is no repository or something else specified as a scope to which a public key is applicable to?

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E298A3A825C0D65DFD57CBB651716619E084DAB9

Thanks.

Answer 1

Keys themselves aren’t scoped at all: any key added to the apt keyring is considered a valid signature key.

In Debian-style repositories, the signature applies to the whole repository: each repository’s Release file is signed, either as a detached signature (Release.gpg) or inline (InRelease). The signature indicates which key was used to sign the file (or which keys, since a file can be signed by multiple keys). Everything else is verified using information in the Release file. See How is the authenticity of Debian packages guaranteed? for details.

If you want to specify which keys should be used to verify a given repository, you can do that in the repository description in sources.list, not when adding the key to apt’s keyring; see the Signed-By option in the sources.list manpage.