On 7/1/21 9:27 AM, Jeremy Stanley wrote:
It's not clear (to me at least) that placing keys into
/etc/apt/trusted.gpg.d is deprecated
According to https://wiki.debian.org/DebianRepository/UseThirdParty it is:
> The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by
apt-key add.
There's nothing especially wrong about using signed-by, but
it's not the security fix some people seem to believe. In short,
*any* package you install can run arbitrary commands as the root
user on your system during installation.
Obviously, and the page linked above even says as much:
> However, the installation of any single malicious package from a
malicious repository can currently undo these protections, for example
by running a MaintainerScripts
<https://wiki.debian.org/MaintainerScripts> command to override the
configured preferences or by authorizing new OpenPGP keys. For the
purposes of this page, /attacks by a package that belongs to a given
repository/ are out of scope. To restrict /what an installed package can
do/, see the larger UntrustedDebs
<https://wiki.debian.org/UntrustedDebs> problem, and particularly
Teams/Dpkg/Spec/DeclarativePackaging
<https://wiki.debian.org/Teams/Dpkg/Spec/DeclarativePackaging> for a
potential solution.
In fact, the automatic [signed-by=] migration that I implemented uses
exactly this avenue, albeit in an explicitly non-malicious way that
prompts the user first.
Kyle
