In order to make life easier for Linux users, we have an APT repository that allows you to easily install and update our applications with the apt-get tools and similar. To use our APT repository, we need to add it to the repository list, but this operation will change in future versions of the distributions. In this post, we explain how to add and use our APT repository so that it still works in the future.
To be able to use our APT repository, we must first add it to the list of repositories that the apt utility consults. The traditional method was to install the PGP public key of Yoctopuce with the apt-key utility and then create a yoctopuce.list file in the /etc/apt/sources.list.d directory.
This method was considered "insecure", because the installed keys were valid for all repositories. It was therefore theoretically possible to validate a repository with a fraudulent key. For this reason, the apt-key utility will disappear in the next versions of Ubuntu and Debian.
At the present time, the old method, which uses apt-key, still works, but displays a warning when installing the PGP key.
The new method
The new recommended method is to copy the PGP key to the /usr/share/keyrings or /etc/apt/keyrings subdirectory and specify the exact path of the key to use for each repository.
This solution is more secure, because the data returned by the repository is always validated with the same PGP key: the one specified during installation.
In practice
In practice, the commands to execute on your machine are the following:
To install the PGP key from our repository in the /usr/share/keyrings/ directory:
wget -q -O - https://www.yoctopuce.com/apt/KEY.gpg | gpg --dearmor | sudo tee -a /usr/share/keyrings/yoctopuce.gpg > /dev/null
To add our repository to the list of consulted repositories:
echo 'deb [signed-by=/usr/share/keyrings/yoctopuce.gpg] https://www.yoctopuce.com/ apt/stable/' | sudo tee -a /etc/apt/sources.list.d/yoctopuce.list > /dev/null
When these two commands are executed, you can use all the applications that are based on APT. For example the following commands install VirtualHub.
sudo apt update sudo apt install virtualhub
What do these commands do?
Installing the PGP key is a sequence of commands that are piped. The first command downloads the PGP key from our website using HTTPS. Then it is converted to binary format using the command "gpg --dearmor". And finally it is copied to the /usr/share/keyrings directory using sudo to get write permissions in this directory.
wget -q -O - https://www.yoctopuce.com/apt/KEY.gpg | gpg --dearmor | sudo tee -a /usr/share/keyrings/yoctopuce.gpg > /dev/null
The part that adds our repository is easier to understand, we create a file /etc/apt/sources.list.d/yoctopuce.list that contains the following line:
deb [signed-by=/usr/share/keyrings/yoctopuce.gpg] https://www.yoctopuce.com/ apt/stable/
Again, we use sudo to get write access to the /etc/apt/sources.list.d/directory
echo 'deb [signed-by=/usr/share/keyrings/yoctopuce.gpg] https://www.yoctopuce.com/ apt/stable/' | sudo tee -a /etc/apt/sources.list.d/yoctopuce.list > /dev/null
Conclusion
This procedure works on all distributions that are based on Debian or Ubuntu, including older versions.
Except for longer and less readable commands, the procedure is identical to the traditional method, but avoids potential security problems.
We have updated our documentation to use this new method. This way, you can still install our utilities in future Linux distributions.