apt repo: narrow scope of cryptographic authority (avoid "apt-key add -") #200
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… -") For modern debian and debian-derived systems, you can specify which OpenPGP certificates are specifically allowed for which repositories. So currently, if someone with access to debian or ubuntu signing keys (or copies of repositories signed by those keys) was able to write to https://dlownload.fluidkeys.com/dekstop/apt/, they would be able to inject installable packages on end-user systems, even though the fluidkeys signing keys are still protected. Additionally, piping the fluidkeys APT repo OpenPGP certificate into "apt-key add -", indicates that the fluidkeys organization is acceptable to certify *all* repos on the system. You probably don't want that responsibility. This arrangement fine on debian stretch (apt 1.4.9), which is currently "oldstable", but doesn't work on jessie (apt 1.0.9.8.4). I think that's a reasonable tradeoff in 2019. I believe it was added in apt 1.1, so it should work in ubuntu xenial and later, but i haven't tested it on that platform. See also: https://wiki.debian.org/DebianRepository/UseThirdParty
dkg
changed the title
dkg
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For modern debian and debian-derived systems, you can specify which
OpenPGP certificates are specifically allowed for which repositories.
So currently, if someone with access to debian or ubuntu signing keys
(or copies of repositories signed by those keys) was able to write to
https://dlownload.fluidkeys.com/dekstop/apt/, they would be able to
inject installable packages on end-user systems, even though the
fluidkeys signing keys are still protected.
Additionally, piping the fluidkeys APT repo OpenPGP certificate into
"apt-key add -", indicates that the fluidkeys organization is
acceptable to certify all repos on the system. You probably don't
want that responsibility.
This arrangement (the
signed-byoption) works fine on debian stretch (apt 1.4.9), which iscurrently "oldstable", but doesn't work on jessie (apt 1.0.9.8.4). I
think that's a reasonable tradeoff in 2019. I believe it was added in
apt 1.1, so it should work in ubuntu xenial and later, but i haven't
tested it on that platform.
See also: https://wiki.debian.org/DebianRepository/UseThirdParty