ljmc's blog

Installing ODBC Driver for SQL Server on Debian Buster, Bullseye or Bookworm, the Debian way

2024-01-28

Microsoft offers installation instructions for its ODBC Driver for SQL Server on several Linux distributions, including Debian, which I tend to use for docker images.

The instructions are very simple:

  1. set up the Microsoft GPG public key in /etc/apt/trusted.gpg.d/
  2. set up the Microsoft APT repository in /etc/apt/sources.list.d/
  3. update the APT cache
  4. install the packages with

However, those instructions are not aligned with the Debian instructions to use third-party repositories by using the /etc/apt/trusted.gpg.d/ directory. APT unconditionally trusts any key located in /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d/ the for all repositories. Putting Microsoft’s key in there means it could be used on any repo to sign any package, APT would be none the wiser, and Microsoft signing process has recently shown a certain tendency to be abused.

Instead, we will use the signed-by option in the sources.list file that sets up the repository. This option is actually the cause of the error that happens when following the Microsoft instructions in Debian 12, the list file downloaded from Microsoft comes with a signed-by option that points to a file that is never set up in the previous instructions. Disregarding the missing instructions, there is still a problem with the signed-by option as it is provided. Managing the Microsoft key is clearly left to the user, yet the key is expected in /usr/share/keyrings/ which is the recommended location for package managed keys. We’ll use the expected /etc/apt/keyrings for user managed keys.

For all releases, setting up Microsoft’s public key in /etc/apt/keyrings/:

curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | \
	sudo gpg --dearmor --output /etc/apt/keyrings/microsoft-prod.gpg

For Debian Buster (10) and Bullseye (11), adding the signed-by option:

curl -fsSL https://packages.microsoft.com/config/debian/10/prod.list | \
	sed 's;\]; signed-by=/etc/apt/keyrings/microsoft-prod.gpg\];' | \
	sudo tee /etc/apt/sources.list.d/mssql-release.list

curl -fsSL https://packages.microsoft.com/config/debian/11/prod.list | \
	sed 's;\]; signed-by=/etc/apt/keyrings/microsoft-prod.gpg\];' | \
	sudo tee /etc/apt/sources.list.d/mssql-release.list

For Debian Bookworm (12), fixing Microsoft’s signed-by option:

curl -fsSL https://packages.microsoft.com/config/debian/12/prod.list | \
	sed 's;signed-by=/usr/share/;signed-by=/etc/apt/;' | \
	sudo tee /etc/apt/sources.list.d/mssql-release.list

For all releases, this will also print the new list file for the ODBC Driver for SQL Server which should look like:

deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/microsoft-prod.gpg] https://packages.microsoft.com/debian/##/prod ######## main

If it looks any different, then something has gone wrong or these instructions are out of date.

Otherwise you can now update your APT cache and install msodbcsql as well as mssql-tools if you need them.

sudo apt-get update
sudo ACCEPT_EULA=Y apt-get install -y msodbcsql18  # or msodbcsql17
sudo ACCEPT_EULA=Y apt-get install -y mssql-tools18  # or mssql-tools