[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: experimental .deb packages using "signed-by"

To: jerry <jerry@tr2.com>
Subject: Re: experimental .deb packages using "signed-by"
From: Graham Percival <gperciva@tarsnap.com>
Date: Thu, 14 Oct 2021 15:08:50 -0700
Cc: tarsnap-users@tarsnap.com
In-reply-to: <16026a858d964c1cafe0213de90b9bff@tr2.com>
References: <YWcpUmQV5NhL4gHY@beastie.local> <16026a858d964c1cafe0213de90b9bff@tr2.com>

Correct, there is absolutely no change for people compiling from source.

Cheers,
- Graham

On Thu, Oct 14, 2021 at 11:57:54AM -0700, jerry wrote:
> All,
> 
>    So can I understand that this is strictly a debian/apt issue?  That 
> those of us
> who download the source and build it, aren't affected?
> 
>                       - Jerry Kaidor
> 
> On 2021-10-13 11:45, Graham Percival wrote:
> > We have experimental packages and instructions for .deb packages which 
> > support
> > "signed-by" repositories.  This is relevant for people using Debian, 
> > Ubuntu,
> > Mint, ElementaryOS, Pop!_OS, etc.
> > 
> > The old method (using apt-key) is marked as deprecated, and is planned 
> > to be
> > removed from new distributions in mid-2022.  As far as I'm aware, any 
> > existing
> > installation should be fine in the future -- this isn't something that 
> > they
> > would change in the middle of a stable release's lifetime.  (For 
> > example, if
> > you're running Ubuntu 18.04, don't worry.)
> > 
> > We're currently testing:
> > - a new tarsnap-archive-keyring package.
> > - installation instructions which depend on the user's version of apt.
> > https://www.tarsnap.com/pkg-deb.html#experimental
> > 
> > If there's no reports of problems, we'll migrate them to the real 
> > packages in a
> > week.
> > 
> > 
> > History
> > - before apt 1.1~exp9 2015-08-18, gpg keys for third-party
> >   repositories had to either be added to /etc/apt/trusted.gpg directly,
> >   or added to /etc/apt/trusted.gpg.d/ as a separate file.  These keys
> >   are completely trusted by the system.
> > 
> >   Hypothetically, if a third-party repository includes a package called
> >   "passwd" which has a higher version number than the normal "passwd"
> >   package, the distro would happily install the third-party package.
> >   I leave the security implications of this as an exercise for the 
> > reader.
> > 
> > - after apt 1.1~exp9 (related stable release: apt 1.1 2015-11-26),
> >   repositories entries in sources.list could be marked as "signed-by".
> >   For example,
> >     deb http://pkg.tarsnap.com/deb/stretch ./
> >   turns into:
> >     deb [signed-by=/usr/share/keyrings/tarsnap-archive-keyring.gpg]
> > http://pkg.tarsnap.com/deb/stretch ./
> >   (all on one line)
> > 
> >   As a result, the system no longer needs to completely trust
> >   third-party keys; a malicious third-party "passwd" package would not
> >   be viewed as an upgrade to the base system "passwd" package.
> > 
> > - apt 2.1.8 2020-08-04 marked "apt-key" (which manages
> >   /etc/apt/trusted.g) as deprecated; scheduled for removal in Q2/2022.
> > 
> > 
> > What does that mean for us?
> > 
> > - people using old (2015 or earlier) distros still need the
> >   tarsnap-archive-keyring package to write the keyring to
> >   /etc/apt/trusted.gpg.d/
> > - people using the most recent (2021 or later) distros should use the
> >   "signed-by" method for new installations.
> > - people using distros between 2016 and 2021 could use either method 
> > for
> >   new installations.  (We will tell them to use the newer method.)
> > - if at all possible, people with existing tarsnap installations should
> >   not need to know about any changes.
> >   (i.e. `apt-get update && apt-get upgrade` should just work.)
> > 
> > Our solution for the tarsnap-archive-keyring packate is:
> > - if the system already has a
> >     /etc/apt/trusted.gpg.d/tarsnap-archive-keyring.gpg
> >   then copy the new archive keyring over that existing file.
> > - otherwise, don't write to /etc/apt/trusted.gpg/
> > 
> > This requires the use of postinst / postrm scripts, which is 
> > discouraged by the
> > Debian New Maintainer's Guide, but I can't see an alternate solution 
> > which
> > would work for new installations and existing installations at the same 
> > time
> > (without requiring existing users to manually edit files in /etc/).
> > 
> > 
> > For more details, here's the initial discussion:
> > https://github.com/Tarsnap/tarsnap/issues/475
> > and here's the commit in the tarsnap-public-keys repository:
> > https://github.com/Tarsnap/tarsnap-public-keys/commit/cc32d2b5fc2c3e955efe651dbeb65a6c708b8fab
> > 
> > Cheers,
> > - Graham Percival

References:
- experimental .deb packages using "signed-by"
  - From: Graham Percival <gperciva@tarsnap.com>
- Re: experimental .deb packages using "signed-by"
  - From: jerry <jerry@tr2.com>

Prev by Date: Re: experimental .deb packages using "signed-by"
Next by Date: Updated tarsnap-archive-keyring .deb package using "signed-by"
Previous by thread: Re: experimental .deb packages using "signed-by"
Next by thread: Updated tarsnap-archive-keyring .deb package using "signed-by"
Index(es):
- Date
- Thread