Ubuntu
apt package

What is the best practice for a 3rd party repo to distribute it's GPG key ?

Asked by zimbatm

Ubuntu gets to distribute it's keys using the "ubuntu-keyring" package which is itself meta-validated.

The problem is for third-party repos. Most of them are using the following pattern: `curl http://repo/key.gpg | apt-key add -`. I'm writing here to seek guidance from security experts. This seems wrong to me and would like to see what you think and if a best practice could be established.

In my view the pattern is not secure because first most of these repos don't use SSL which opens the road to MITM attacks and arbitrary code execution if the client installs a package. Even if SSL is used it doesn't seem very secure ; certificates can be forged by compromised/government CAs. Or if the storage is compromised the the key can also be changed and the packages re-signed.

Therefor it seems to me that it would be best to disseminate the key's fingerprint as wide as possible to avoid a single point of failure by replacing the installation instruction with something like this: `apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9`. I suspect this pattern hasn't caught up because it's using an undocumented feature of `apt-key`. If this is a better pattern then it might be worth adding a documented and first-class `apt-key recv-key FINGERPRINT [KEY_SERVER]`.

What do you think ?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apt Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

If you use the add-apt-repository command then it is all handled for you. Lots easier

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

You can report a security bug due to no SSL but the risk is minimal and as long as there is no DNS poisoning the packages will download from the same server.

Revision history for this message
zimbatm (zimbatm) said : 		#3

I tried using `add-apt-repository` but it only seems to be fetching the keys when using a PPA. Example: `add-apt-repository 'deb http://get.docker.io/ubuntu docker main'`.

I still think the best would be to be able to inline the fingerprint in the command to make sure it's widely distributed. Another backward-compatible option would be to extend `apt-key add` to receive an optional second argument with the fingerprint so that only the key matching that fingerprint would be accepted and added.

Can you help with this problem?

Provide an answer of your own, or ask zimbatm for more information if necessary.

To post a message you must log in.