How to circumvent "apt-key output should not be parsed"?

I'm automating my Docker installation. Something like this:

if apt-key fingerprint 0EBFCD88 | grep "Key fingerprint = 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88" > /dev/null
then
  # proceed
fi

This worked fine in older versions of apt-key, but recent versions have two issues:

  1. A different output format: I can hack around that
  2. A warning:

    Warning: apt-key output should not be parsed (stdout is not a terminal)
    

Clearly, I can hack around this as well, just redirect stderr to /dev/null. It just made me curious:

How do these fine folks suggest I verify my key fingerprints? Or am I getting this fundamentally wrong by wanting to automate it, does that defeat the point? (I think not, since I still manually lifted the expected fingerprint from the website, but feel free to tell me otherwise...)


Solution 1:

From apt-key sources, you can set APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE to a non-empty value to disable this warning.

You can also use "grep -q" so you don't need to redirect stdout in /dev/null either.

Solution 2:

To reply to the part "am I getting this fundamentally wrong":

I believe that possibly yes. That's the reason of the warning.

You don't write what you do exactly, but one thing to realize is:

The keys do have some expiration so after some time the fingerprint in your script will become obsolete and possibly it will not behave as expected anymore.

Once the repository and its key is installed so the system somehow upgrades the key automatically but when the repository is initially added so an up-to-date key has to be provided. In my scripts automating the installation I do not test whether a key was already added but I test whether the repository was already added. If the repository was not added, so I add it together with an up-to-date key that I download always from its URL.

Solution 3:

I'm modifying the command itself to use batch mode so it will not complain about stdout. For the bigger apt-key this will work, quickly tested on debian:

sed -i "s%{GPG_EXE}\")' --%{GPG_EXE}\")' --batch --%g" /usr/bin/apt-key

While for the smaller apt-key this could work (untested as I can't recall exactly where I have seen this simpler variant):

sed -i 's%GPG_CMD="gpg %GPG_CMD="gpg --batch %g' /usr/bin/apt-key

You need privileges to write to the /usr/bin/apt-key so either run as root or use sudo