I understand that add-apt-repository is being deprecated because it adds the repo key globally instead of specifically for the package(s) that need it. However, the examples I see on the web don't show how to handle ppa:<username>/<package>
I can see What commands (exactly) should replace the deprecated apt-key? but I never used apt-key and the example doesn't show how to deal with the ppa part.
Here are the now-obsolete commands (openconnect requires vpnc which I think is hosted under the same ppa?):
apt update
apt install software-properties-common
add-apt-repository ppa:dwmw2/openconnect
apt install vpnc
apt install openconnect
If I could just unpack ppa:dwmw2/openconnect to separately download the key and add the repo, I could follow existing instructions for replacing apt-key and apt-add-repository separately and have a recipe for doing this for all other repository adds.
Sub-question
Does add-apt-repository do this by screen-scraping from https://launchpad.net/~dwmw2/+archive/ubuntu/openconnect?
No. I'm still missing the key block because when I do:
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
qPDlGRlOgVTd9xUfHFkzB52c70E=
=92oX
-----END PGP PUBLIC KEY BLOCK-----
That format looks nothing like
Signing key:
4096R/DBBE5FF954B458D1A0875E8A9FCCDFFB8838752F
Fingerprint:
DBBE5FF954B458D1A0875E8A9FCCDFFB8838752F
And gpg --dearmor produces binary output:
Hah! I think I found at least part of the answer here: https://help.launchpad.net/Packaging/PPA/InstallingSoftware#On_older_.28pre_9.10.29_Ubuntu_systems
Now:
# apt update
...
apt install gpg
...
gpg --homedir /tmp --no-default-keyring --keyring /usr/share/keyrings/openconnect.gpg --keyserver keyserver.ubuntu.com --recv-keys DBBE5FF954B458D1A0875E8A9FCCDFFB8838752F
gpg: keybox '/usr/share/keyrings/openconnect.gpg' created
gpg: /tmp/trustdb.gpg: trustdb created
gpg: key 9FCCDFFB8838752F: public key "Launchpad PPA for dwmw2" imported
gpg: Total number processed: 1
gpg: imported: 1
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/openconnect.gpg] https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu bionic main' >/etc/apt/sources.list.d/openconnect.list
apt update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Ign:4 https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu bionic InRelease
Hit:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
Err:6 https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 185.125.190.52 443]
Reading package lists... Done
W: https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu/dists/bionic/InRelease: No system certificates available. Try installing ca-certificates.
W: https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu/dists/bionic/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu bionic Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Easily fixed with: apt-get update failed because certificate verification failed because handshake failed on nodesource
Now:
# apt update
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:5 https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu bionic InRelease [15.9 kB]
Get:6 https://ppa.launchpadcontent.net/dwmw2/openconnect/ubuntu bionic/main amd64 Packages [1437 B]
Fetched 17.3 kB in 1s (14.5 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
add-apt-repositoryis a Python script, and it uses the Launchpad API. You can try the API to get the signing key. – muru Jan 10 '23 at 16:12