Zandronum Chat @ irc.zandronum.com
#zandronum
Get the latest version: 3.0
Source Code

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003601Site[All Projects] Documentationpublic2019-02-07 13:402019-02-12 13:47
ReporterWubTheCaptain 
Assigned ToBlzut3 
PrioritynormalSeveritytweakReproducibilityalways
StatusassignedResolutionopen 
PlatformOSDebian GNU/LinuxOS Version
Summary0003601: debian.drdteam.org suggests using deprecated "apt-key add" command
Description
Quote from apt-key(8)
Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.
Steps To Reproduce
Quote from https://debian.drdteam.org
To use, use the following command or add the "deb ..." line to your /etc/apt/sources.list:

$ wget -O-http://debian.drdteam.org/drdteam.gpg [^] | sudo apt-key add -
$ sudo apt-add-repository 'debhttp://debian.drdteam.org/ [^] stable multiverse'
Additional Informationhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851774 [^]
Attached Files

- Relationships

-  Notes
User avatar (0020339)
WubTheCaptain (reporter)
2019-02-07 13:44
edited on: 2019-02-07 13:45

I suggest the following syntax to fix this issue:

wget -qO -http://debian.drdteam.org/drdteam.gpg [^] |
    sudo tee /etc/apt/trusted.gpg.d/drdteam.gpg |
    gpg -q -n --import --import-options import-show -


This will also dry-run GnuPG quietly to display the fingerprint for apt-secure(8) infrastructure. This requires GnuPG version 2.1.14 or later. No transitional package (gnupg2) is required in Debian, since Debian 9 (stretch).

(I didn't include HTTPS scheme here, as the original syntax doesn't either and apt can do fine securely with HTTP given apt-secure(8) precautions.)

User avatar (0020344)
WubTheCaptain (reporter)
2019-02-07 15:25
edited on: 2019-02-07 16:43

By the way: GPG keyboxes are unsupported by apt(8) at this time. This means the following two variations of GPG commands are incompatible (and probably overengineered):

wget -qO -http://debian.drdteam.org/drdteam.gpg [^] |
    sudo gpg -q --import --import-options import-show --primary-keyring \
    /etc/apt/trusted.gpg.d/drdteam.gpg -

wget -qO -http://debian.drdteam.org/drdteam.gpg [^] |
    sudo gpg -q --import --import-options import-show --no-default-keyring \
    --keyring /etc/apt/trusted.gpg.d/drdteam.gpg -


The warning would be:

Quote
W: The key(s) in the keyring /etc/apt/trusted.gpg.d/drdteam.gpg are ignored as the file has an unsupported filetype.


User avatar (0020350)
WubTheCaptain (reporter)
2019-02-07 16:59

Should 0003610 be fixed as I expect it to be, the command should become:

wget -qO -http://debian.drdteam.org/drdteam.asc [^] |
    sudo tee /etc/apt/trusted.gpg.d/drdteam.asc |
    gpg -q -n --import --import-options import-show -


If not, then the right choice (as a workaround) would be:

wget -qO -http://debian.drdteam.org/drdteam.gpg [^] |
    sudo tee /etc/apt/trusted.gpg.d/drdteam.asc |
    gpg -q -n --import --import-options import-show -
User avatar (0020357)
Blzut3 (administrator)
2019-02-10 07:39

Is the gpg import line actually needed? Experimenting with a docker container it seems that just adding the key to trusted.gpg.d is enough?
User avatar (0020361)
WubTheCaptain (reporter)
2019-02-11 14:26

Quote from Blzut3
Is the gpg import line actually needed?


TL;DR: I think so?

In an unlikely event the debian.drdteam.org server would be compromised by a third-party, displaying the fingerprints and verifying them against some chain of trust (OpenPGP signatures or documentation in Doomseeker, for example), the GPG dry-run import line may mitigate the effectiveness of such attack. apt-key add also wouldn't display the fingerprint.

The man page says:

Quote from apt-key(8)
It is critical that keys added manually via apt-key are verified to belong to the owner of the repositories they claim to be for otherwise the apt-secure(8) infrastructure is completely undermined.


In an unlikely event the HTTPS website is also unavailable or blocked at a site, the same principle of key fingerprint verification would also apply to connections over insecure HTTP.

I believe it's better than blindly trusting the key. https:// may provide some additional security (0003606), on the assumption the webserver/HTTP(s) proxy is configured securely.
User avatar (0020383)
WubTheCaptain (reporter)
2019-02-11 22:45

I'm probably going to actually end up submitting a package to Debian soon, called drdteam-archive-keyring.

Debian's soft freeze is tomorrow, so this won't make it to the next stable release however. It will be available from testing and unstable initially, maybe later backported to stretch-backports if feasible.
User avatar (0020384)
WubTheCaptain (reporter)
2019-02-12 00:05

Additionally, I'd like the drdteam-archive-keyring to prompt for a question "do you want to install drdteam.list to /etc/apt/sources.list.d?" with debconf. I'll do that, for convenience.
User avatar (0020385)
WubTheCaptain (reporter)
2019-02-12 13:47

By the way, ignore my suggestions too: Keys added to /etc/apt/trusted.gpg.d are valid signing keys for all repositories, including the main ones from your operating system. Yikes!

Fortunately, there is /usr/share/keyrings. I'll hope to set that up soon.

(oops, meant to post this yesterday)

Issue Community Support
Only registered users can voice their support. Click here to register, or here to log in.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2019-02-07 13:40 WubTheCaptain New Issue
2019-02-07 13:44 WubTheCaptain Note Added: 0020339
2019-02-07 13:45 WubTheCaptain Note Edited: 0020339 View Revisions
2019-02-07 15:25 WubTheCaptain Note Added: 0020344
2019-02-07 16:43 WubTheCaptain Note Edited: 0020344 View Revisions
2019-02-07 16:59 WubTheCaptain Note Added: 0020350
2019-02-10 07:39 Blzut3 Note Added: 0020357
2019-02-10 07:39 Blzut3 Assigned To => Blzut3
2019-02-10 07:39 Blzut3 Status new => feedback
2019-02-11 14:26 WubTheCaptain Note Added: 0020361
2019-02-11 14:26 WubTheCaptain Status feedback => assigned
2019-02-11 22:45 WubTheCaptain Note Added: 0020383
2019-02-12 00:05 WubTheCaptain Note Added: 0020384
2019-02-12 13:47 WubTheCaptain Note Added: 0020385






Questions or other issues? Contact Us.

Links


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker