On 2021-07-01 09:01:57 -0400 (-0400), Kyle Edwards wrote: [...] > If [signed-by=] isn't the way to go, then what is? I recently > updated the keyring package in our company's APT repository to > automatically migrate people to [signed-by=] since apt-key (and > with it /etc/apt/trusted.gpg.d) is deprecated. [...]
It's not clear (to me at least) that placing keys into /etc/apt/trusted.gpg.d is deprecated, just managing keys with apt-key. There's nothing especially wrong about using signed-by, but it's not the security fix some people seem to believe. In short, *any* package you install can run arbitrary commands as the root user on your system during installation. Only ever install packages from sources you implicitly trust, since the people who control those packages also essentially control your system. They don't need to masquerade as some other package repository which they've surreptitiously signed with their key, nor try to sneak into your system with conflicting package names, they can simply stick backdoors in the maintscripts of the packages you already want to install from them. -- Jeremy Stanley
signature.asc
Description: PGP signature
