Replace use of apt-key with gpg commands and appropriate edits to <repo>.list
#6447
Labels
Comments
|
I'm not exactly sure what the version support is, but we should take this opportunity to move toward deb822 sources: https://lists.debian.org/debian-devel/2021/11/msg00026.html I believe we can embed the key directly in that file, which should help with apt-test vs prod apt. |
zenmonkeykstop
added
hackathon
help wanted
See https://manpages.debian.org/testing/apt/sources.list.5.en.html#THE_DEB_AND_DEB-SRC_TYPES:_OPTIONS Per https://salsa.debian.org/apt-team/apt/-/commit/3f07f5345ec79702c3c769047452041b2c12953f support was added in 2.3.10, so it's supported in bookworm and jammy at the earliest. |
legoktm
added a commit
to freedomofpress/securedrop-client
that referenced
this issue
Apr 2, 2024
apt now supports structured deb882-style `.sources` files that can also contain the signing key, making distribution even easier. A bit of substitution at build time is used to inject the correct distro version that the package is being built for. We can also eliminate the need for removing the GPG key from trusted.gpg before installing by doing this during the provisioning step too. There is a small downside related to testing that may need a bit more work: the apt prod repository will now always be configured, so you have to duplicate the file for apt-qa. It should be safe to layer packages and repositories like this though, because versions on apt-test and apt-qa should always have higher version numbers than prod. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-workstation#876>. Refs <#1788>.
15 tasks
legoktm
added a commit
to freedomofpress/securedrop-client
that referenced
this issue
Apr 23, 2024
apt now supports structured deb882-style `.sources` files that can also contain the signing key, making distribution even easier. A bit of substitution at build time is used to inject the correct distro version that the package is being built for. We can also eliminate the need for removing the GPG key from trusted.gpg before installing by doing this during the provisioning step too. Because the key is contained in the file and therefore harder to audit independently, a test verifies the fingerprint to ensure it's the correct key. There is a small downside related to testing that may need a bit more work: the apt prod repository will now always be configured, so you have to duplicate the file for apt-qa. It should be safe to layer packages and repositories like this though, because versions on apt-test and apt-qa should always have higher version numbers than prod. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-workstation#876>. Refs <#1788>.
legoktm
added a commit
to freedomofpress/securedrop-client
that referenced
this issue
Apr 23, 2024
apt now supports structured deb882-style `.sources` files that can also contain the signing key, making distribution even easier. A bit of substitution at build time is used to inject the correct distro version that the package is being built for. We can also eliminate the need for removing the GPG key from trusted.gpg before installing by doing this during the provisioning step too. Because the key is contained in the file and therefore harder to audit independently, a test verifies the fingerprint to ensure it's the correct key. There is a small downside related to testing that may need a bit more work: the apt prod repository will now always be configured, so you have to duplicate the file for apt-qa. It should be safe to layer packages and repositories like this though, because versions on apt-test and apt-qa should always have higher version numbers than prod. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-workstation#876>. Refs <#1788>.
legoktm
added a commit
to freedomofpress/securedrop-client
that referenced
this issue
Apr 23, 2024
apt now supports structured deb882-style `.sources` files that can also contain the signing key, making distribution even easier. A bit of substitution at build time is used to inject the correct distro version that the package is being built for. We can also eliminate the need for removing the GPG key from trusted.gpg before installing by doing this during the provisioning step too. Because the key is contained in the file and therefore harder to audit independently, a test verifies the fingerprint to ensure it's the correct key. There is a small downside related to testing that may need a bit more work: the apt prod repository will now always be configured, so you have to duplicate the file for apt-qa. It should be safe to layer packages and repositories like this though, because versions on apt-test and apt-qa should always have higher version numbers than prod. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-workstation#876>. Refs <#1788>.
legoktm
added a commit
to freedomofpress/securedrop-client
that referenced
this issue
Apr 24, 2024
apt now supports structured deb882-style `.sources` files that can also contain the signing key, making distribution even easier. A bit of substitution at build time is used to inject the correct distro version that the package is being built for. We can also eliminate the need for removing the GPG key from trusted.gpg before installing by doing this during the provisioning step too. Because the key is contained in the file and therefore harder to audit independently, a test verifies the fingerprint to ensure it's the correct key. There is a small downside related to testing that may need a bit more work: the apt prod repository will now always be configured, so you have to duplicate the file for apt-qa. It should be safe to layer packages and repositories like this though, because versions on apt-test and apt-qa should always have higher version numbers than prod. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-workstation#876>. Refs <#1788>.
legoktm
added a commit
to freedomofpress/securedrop-workstation
that referenced
this issue
Apr 25, 2024
The new .sources file contains the content of the old sources.list files in a structure format and the PGP key, which makes it easy to ship in a templated way. Salt will provision `/etc/apt/sources.list.d/apt_freedom_press.sources`, which will also be shipped and therefore overwritten by the securedrop-keyring package. As a consequence, the prod repo will always be enabled, even on staging/dev machines. This shouldn't have any practical implications, becuase staging/dev packages should always have higher verison numbers. In staging/dev, salt will provision `apt-test_freedom_press.sources` with the respective components, using the apt-test key. If you then switch to a prod environment, it'll be removed. Fixes <#876>. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-client#1788>.
legoktm
added a commit
to freedomofpress/securedrop-workstation
that referenced
this issue
Apr 25, 2024
The new .sources file contains the content of the old sources.list files in a structure format and the PGP key, which makes it easy to ship in a templated way. Salt will provision `/etc/apt/sources.list.d/apt_freedom_press.sources`, which will also be shipped and therefore overwritten by the securedrop-keyring package. As a consequence, the prod repo will always be enabled, even on staging/dev machines. This shouldn't have any practical implications, becuase staging/dev packages should always have higher verison numbers. In staging/dev, salt will provision `apt-test_freedom_press.sources` with the respective components, using the apt-test key. If you then switch to a prod environment, it'll be removed. This is a companion to <freedomofpress/securedrop-client#1952>, which updates the securedrop-keyring side. Fixes <#876>. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-client#1788>.
6 tasks
legoktm
added a commit
to freedomofpress/securedrop-workstation
that referenced
this issue
Apr 25, 2024
The new .sources file contains the content of the old sources.list files in a structure format and the PGP key, which makes it easy to ship in a templated way. Salt will provision `/etc/apt/sources.list.d/apt_freedom_press.sources`, which will also be shipped and therefore overwritten by the securedrop-keyring package. As a consequence, the prod repo will always be enabled, even on staging/dev machines. This shouldn't have any practical implications, becuase staging/dev packages should always have higher verison numbers. In staging/dev, salt will provision `apt-test_freedom_press.sources` with the respective components, using the apt-test key. If you then switch to a prod environment, it'll be removed. This is a companion to <freedomofpress/securedrop-client#1952>, which updates the securedrop-keyring side. Fixes <#876>. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-client#1788>.
legoktm
added a commit
to freedomofpress/securedrop-workstation
that referenced
this issue
May 7, 2024
The new .sources file contains the content of the old sources.list files in a structure format and the PGP key, which makes it easy to ship in a templated way. Salt will provision `/etc/apt/sources.list.d/apt_freedom_press.sources`, which will also be shipped and therefore overwritten by the securedrop-keyring package. As a consequence, the prod repo will always be enabled, even on staging/dev machines. This shouldn't have any practical implications, becuase staging/dev packages should always have higher verison numbers. In staging/dev, salt will provision `apt-test_freedom_press.sources` with the respective components, using the apt-test key. If you then switch to a prod environment, it'll be removed. This is a companion to <freedomofpress/securedrop-client#1952>, which updates the securedrop-keyring side. Fixes <#876>. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-client#1788>.
micahflee
pushed a commit
to freedomofpress/securedrop-workstation
that referenced
this issue
May 20, 2024
The new .sources file contains the content of the old sources.list files in a structure format and the PGP key, which makes it easy to ship in a templated way. Salt will provision `/etc/apt/sources.list.d/apt_freedom_press.sources`, which will also be shipped and therefore overwritten by the securedrop-keyring package. As a consequence, the prod repo will always be enabled, even on staging/dev machines. This shouldn't have any practical implications, becuase staging/dev packages should always have higher verison numbers. In staging/dev, salt will provision `apt-test_freedom_press.sources` with the respective components, using the apt-test key. If you then switch to a prod environment, it'll be removed. This is a companion to <freedomofpress/securedrop-client#1952>, which updates the securedrop-keyring side. Fixes <#876>. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-client#1788>.
zenmonkeykstop
pushed a commit
to freedomofpress/securedrop-client
that referenced
this issue
May 22, 2024
apt now supports structured deb882-style `.sources` files that can also contain the signing key, making distribution even easier. A bit of substitution at build time is used to inject the correct distro version that the package is being built for. We can also eliminate the need for removing the GPG key from trusted.gpg before installing by doing this during the provisioning step too. Because the key is contained in the file and therefore harder to audit independently, a test verifies the fingerprint to ensure it's the correct key. There is a small downside related to testing that may need a bit more work: the apt prod repository will now always be configured, so you have to duplicate the file for apt-qa. It should be safe to layer packages and repositories like this though, because versions on apt-test and apt-qa should always have higher version numbers than prod. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-workstation#876>. Refs <#1788>.
micahflee
pushed a commit
to freedomofpress/securedrop-client
that referenced
this issue
May 29, 2024
apt now supports structured deb882-style `.sources` files that can also contain the signing key, making distribution even easier. A bit of substitution at build time is used to inject the correct distro version that the package is being built for. We can also eliminate the need for removing the GPG key from trusted.gpg before installing by doing this during the provisioning step too. Because the key is contained in the file and therefore harder to audit independently, a test verifies the fingerprint to ensure it's the correct key. There is a small downside related to testing that may need a bit more work: the apt prod repository will now always be configured, so you have to duplicate the file for apt-qa. It should be safe to layer packages and repositories like this though, because versions on apt-test and apt-qa should always have higher version numbers than prod. Refs <freedomofpress/securedrop#6447>. Refs <freedomofpress/securedrop-workstation#876>. Refs <#1788>.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
apt-keyhas been deprecated (will be removed after Bullseye and Ubuntu 22.04) in favour of:/usr/share/keyringsin Debiansigned-bydirectives in repo list entriesFrom a security perspective this is a good thing as keys installed via
apt-key addwork for any repos. The recommended Debian approach is documented in more detail here: https://wiki.debian.org/DebianRepository/UseThirdPartyThis doesn't have to happen immediately, but at some stage server setup should be updated to remove use of apt-key in favour of installing the gpg key to said dir and making the necessary changes to
/etc/apt/sources.list.d/apt_freedom_press.listUser Research Evidence
The text was updated successfully, but these errors were encountered: