Обсуждение: should postgresql-common depend on ca-certificates?

If I follow the Quickstart at 
https://wiki.postgresql.org/wiki/Apt#Quickstart but use 
--no-install-recommends, things don't quite work.  (I realize I'm going 
off the well-trodden path, but this is useful for CI setups to avoid 
installing packages you don't strictly need.)  For example, on Ubuntu 24.04:

apt-get update
apt-get -y --no-install-recommends install gnupg postgresql-common
/usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y

Then you get warnings like this:

   Certificate verification failed: The certificate is NOT trusted. The 
certificate issuer is unknown.  Could not handshake: Error in the 
certificate verification. [IP: 151.101.3.52 443]
W: https://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease: 
No system certificates available. Try installing ca-certificates.

When you install ca-certificates, then the whole thing works. 
Apparently, there is a "recommends" dependency somewhere down the chain, 
but postgresql-common itself doesn't mention it.

I don't know what the right solution is, but maybe a combination of

1) postgresql-common at least "suggests" ca-certificates.
2) apt.postgresql.org.sh should do more checking that the setup it 
creates actually works.
3) The wiki page quickstart makes more explicit mention of 
ca-certificates.  (It is mentioned for the manual setup.)

Re: Peter Eisentraut
>   Certificate verification failed: The certificate is NOT trusted. The
> certificate issuer is unknown.  Could not handshake: Error in the
> certificate verification. [IP: 151.101.3.52 443]
> W: https://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease: No
> system certificates available. Try installing ca-certificates.

Good point, thanks for bringing this up.

> I don't know what the right solution is, but maybe a combination of
> 
> 1) postgresql-common at least "suggests" ca-certificates.

In my view, the apt.postgresql.org.sh script is just a side-feature of
that package, so adding a ca-certificates dependency would be wrong.
And recommends/suggests don't really solve the problem.

> 2) apt.postgresql.org.sh should do more checking that the setup it creates
> actually works.

Maybe. Otoh people (or CI setups) might run the script, and do the
package installation later. I'd also wouldn't quite know what to check
there, except for running `apt update` which it is already doing.

> 3) The wiki page quickstart makes more explicit mention of ca-certificates.
> (It is mentioned for the manual setup.)

I added "ca-certificates" to the TL;DR recipe. That makes it less
crisp, but now it's guaranteed to work.

Christoph

Le 09/10/2025 à 17:12, Christoph Berg a écrit :
(✂️✂️✂️)

>> 3) The wiki page quickstart makes more explicit mention of ca-certificates.
>> (It is mentioned for the manual setup.)
> I added "ca-certificates" to the TL;DR recipe. That makes it less
> crisp, but now it's guaranteed to work.

BTW: I recently discovered that the PGDG repository can be installed 
with "extrepo enable postgresql"  (same URL, different keys)

The wiki says nothing about this.

Is it a good/idea/discouraged/an alternative way/the next recommended way?

Thanks!

-- 
_________  ____
|         ||    |   Christophe Courtois
|         ||__  |   Consultant DALIBO
|         |   | |   43, rue du Faubourg Montmartre
|    -    |  / /    75009 Paris
|___| |___|  \/     www.dalibo.com