Re: Check for revocation certificates before running apt-get?
On Sat, Dec 14, 2013 at 6:47 AM, adrelanos wrote:
> is it possible to hook apt-get somehow to do some action done before
> apt-get starts any network activity?
Based on a quick grep of the apt package, APT::Update::Pre-Invoke
might be what you want.
Here is an extremely dangerous example of how it can be used:
http://www.webupd8.org/2009/06/automatically-import-launchpad-ppa-keys.html
It would be possible to do it in a secure way but that example is
definitely not secure.
> I would like to add refresh gpg keys from a server first to check if any
> of them have been revoked in meanwhile.
That sounds like a useful feature to have.
When you implement this, please ensure it isn't vulnerable to any
duplicate-keyid problems:
http://debian-administration.org/users/dkg/weblog/105
> (I am asking this because I would like to add such a feature to Whonix,
> which is a derivative of Debian. Hope you don't mind me asking here.)
I would encourage you to get that (or a background cron job) into
Debian instead, it is a pretty important security enhancement IMO.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: