Hi,
I'm trying to set up a "secure" upgrade mechanism for an embedded Linux product (based on Yocto) using apt. The customer should only be allowed to install/alter software by installing packages signed by us. My idea is that the user will not have root access but will be allowed to execute apt-get specifically using sudo from an "admin" user account (configured in /etc/sudoers). We will deliver the product with a pre-installed pgp key with which packages should be approved.
Now, how can I guarantee that only packages signed by our key or originating from a source signed by us, can be installed? It seems signature checking can be circumvented simply by providing command line options to apt-get that e.g. alter which sources to use and disables signature checking for these sources.
Do you think it is possible at all to get the "security" we want this way?
/Mikael