Store apt key sensible location

[KwadroNaut]

• I have searched open and closed issues for duplicates

---

Bug description

The Linux install instructions refer to the use of apt-key add, while common it's generally a bad idea to mix this key in with others. Best is to make it available separately and mark them acceptable for this repository only.
Current recomendations:

curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add -
echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
sudo apt update && sudo apt install signal-desktop

Expected something like:

curl -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/signal-xenial-pub.gpg >/dev/null
echo "deb [arch=amd64, signed-by=/usr/share/keyrings/signal-xenial-pub.gpg] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
sudo apt update && sudo apt install signal-desktop

More background info: https://wiki.debian.org/DebianRepository/UseThirdParty https://lists.gnupg.org/pipermail/gnupg-users/2017-June/058502.html

Platform info

Signal version:
Irrelevant.

Operating System:
Description: Debian GNU/Linux 9.4 (stretch)

[strugee]

@KwadroNaut you shouldn't put things in /usr/share manually; that's reserved for the package manager. Maybe you want to put it into /etc/apt/trusted.gpg.d (with apt-key add --keyring), but I don't know if the signed-by will still work to properly restrict the repositories the key can sign.

[KwadroNaut]

@strugee see linked Debian wikipage:

… to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add.

/usr/share/ isn't reserved for the package manager, it's just architecture-independent (shared) data.