[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: holes in secure apt

On Thu, 12 Jun 2014 19:43:56 +0100
Wookey <wookey@wookware.org> wrote:

> +++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]:
> > - [c]debootstrap
> > I think they both default now to verify signatures (which is a good
> > thing)... but IIRC, debootstrap also defaults to not verify
> > anything... if the keyrings aren't installed - admittedly this is
> > unlikely... but possible...
> I found that I could not get debootstrap to do verified downloads from
> debian-ports with a debian-ports key. Whatever I did with apt-key,
> keys and --keyring options, it just said that the key was unavailable
> and stopped. Nice and secure, but useless, so I've had to use 
> sudo debootstrap --no-check-gpg unstable debian-arm64
> http://ftp.debian-ports.org/debian in the meantime.
> So it does default to signed downloads and SFAIK will always do this
> wether or not any keys are installed/available, unless explicitly
> disabled.
> And yes I should report a bug but have failed to do so thus far.
> If someone can tell me what I'm doing wrong that would improve the
> security of this particular usage :-)

This works for me:

sudo apt install debian-ports-archive-keyring
sudo apt-key add /usr/share/keyrings/debian-ports-archive-keyring.gpg
sudo debootstrap --variant=buildd --foreign --arch=arm64 --keyring /usr/share/keyrings/ 
    debian-ports-archive-keyring.gpg sid arm64-sid http://ftp.de.debian.org/debian-ports

Make sure apt-key list shows something including:

pub   4096R/623DB0B8 2014-01-16 [expires: 2015-01-31]
uid                  Debian Ports Archive Automatic Signing Key (2014) <ftpmaster@debian-ports.org>


Neil Williams

Attachment: signature.asc
Description: PGP signature

Reply to: