From 5a44cfe2991b7f0f54b26b70162ae60502be6615 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Mon, 7 Oct 2019 00:01:15 +0100
Subject: [PATCH] Fix Debian package installation instructions

This tries to conform with:

https://wiki.debian.org/DebianRepository/UseThirdParty

We also change keyservers to avoid signature flooding
attacks. Ideally, the repository would ship its own key, to avoid
writing that key in the user's keyring, but this fixes the worst of
the problems (short key ID attacks and flooding).
---
 README.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 17826dc..e5fa4ec 100644
--- a/README.md
+++ b/README.md
@@ -21,17 +21,16 @@ option, you can build the software from source.
 
 Add this line to your `sources.list`:
 
-    deb http://debian.incal.net/debian liber/
+    deb [signed-by=/usr/share/keyrings/incal-archive-keyring.gpg] http://debian.incal.net/debian liber/
 
 Then make sure the GPG key used to sign the repository is installed,
 update the package sources, and install the `liber` package:
 
-    $ sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net/ \
-        --recv C0EAC2F9CE9ED9B0
+    $ gpg --keyserver hkp://keys.openpgp.org/ --recv 06F524BFE221CD1F65DF57F5C0EAC2F9CE9ED9B0
+    $ gpg --export --export-options export-minimal 06F524BFE221CD1F65DF57F5C0EAC2F9CE9ED9B0 | sudo tee /usr/share/keyrings/incal-archive-keyring.gpg > /dev/null
     $ sudo apt-get update
     $ sudo apt-get install liber
 
-
 ### Build from source
 
 To compile liber from source, you will need a working [Go](http://golang.org/)
-- 
GitLab