From 8375d5b58038fc026098dcccc3de87cd9d740334 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Fri, 17 Aug 2018 16:33:41 +0200
Subject: Support multiple keyrings in sources.list Signed-By

A user can specify multiple fingerprints for a while now, so its seems
counter-intuitive to support only one keyring, especially if this isn't
really checked or enforced and while unlikely mixtures of both should
work properly, too, instead of a kinda random behaviour.
---
 doc/sources.list.5.xml | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

(limited to 'doc')

diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml
index 84eb527e7..eaea13ae5 100644
--- a/doc/sources.list.5.xml
+++ b/doc/sources.list.5.xml
@@ -14,7 +14,7 @@
    &apt-email;
    &apt-product;
    <!-- The last update date -->
-   <date>2018-02-27T00:00:00Z</date>
+   <date>2018-08-17T00:00:00Z</date>
  </refentryinfo>
  
  <refmeta>
@@ -294,17 +294,22 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [.
 	  </para></listitem>
 
 	  <listitem><para><option>Signed-By</option> (<option>signed-by</option>)
-		is either an absolute path to a keyring file (has to be
-		accessible and readable for the <literal>_apt</literal> user,
-		so ensure everyone has read-permissions on the file) or one or
-		more fingerprints of keys either in the
-		<filename>trusted.gpg</filename> keyring or in the
-		keyrings in the <filename>trusted.gpg.d/</filename> directory
-		(see <command>apt-key fingerprint</command>). If the option is
-		set, only the key(s) in this keyring or only the keys with these
-		fingerprints are used for the &apt-secure; verification of this
-		repository. Defaults to the value of the option with the same name
-		if set in the previously acquired <filename>Release</filename> file.
+		is an option to require a repository to pass &apt-secure; verification
+		with a certain set of keys rather than all trusted keys apt has configured.
+		It is specified as a list of absolute paths to keyring files (have to be
+		accessible and readable for the <literal>_apt</literal> system user,
+		so ensure everyone has read-permissions on the file) and fingerprints
+		of keys to select from these keyrings. If no keyring files are specified
+		the default is the <filename>trusted.gpg</filename> keyring and
+		all keyrings in the <filename>trusted.gpg.d/</filename> directory
+		(see <command>apt-key fingerprint</command>). If no fingerprint is
+		specified all keys in the keyrings are selected. A fingerprint will
+		accept also all signatures by a subkey of this key, if this isn't
+		desired an exclamation mark (<literal>!</literal>) can be appended to
+		the fingerprint to disable this behaviour.
+		The option defaults to the value of the option with the same name
+		if set in the previously acquired <filename>Release</filename> file
+		of this repository (only fingerprints can be specified there through).
 		Otherwise all keys in the trusted keyrings are considered valid
 		signers for this repository.
 	  </para></listitem>
-- 
cgit v1.2.3