Hi Jonas and Roland, > Am 04.06.2017 um 10:17 schrieb Jonas Smedegaard <[email protected]>: > > Quoting Roland Häder (2017-06-03 22:12:23) >> Do not bypass secrurity! Better is to get it properly signed. > > Yes, establishing a trust path (which includes offering signed package > release files but also other parts) are better than not doing so.
Making signed Relase files is much simpler than I had thought: (https://wiki.debian.org/SecureApt#How_to_tell_apt_what_to_trust) cd /path-to-repo-on-server/dists/wheezy gpg -abs --emit-version -o Release.gpg Release type pasword... That is all what seems to be needed on the repo server side. > Maintained packages are even better - e.g. collectively by Debian. In the long run yes. At the moment we are still far away from that... There must be something maintainable first to hand it over to Debian. >> You should then provide the GPG public key (obviously) on your website >> so people can use it for verification the apt-key-common way: >> >> gpg --keyserver pgpkeys.mit.edu --recv-key xxxxxx >> gpg -a --export xxxxxx | sudo apt-key add - > > Above verifies only that the signing key exist on that public keyserver > - it does not establish a trust path and is therefore not (on its own) > trustworthy. Yes, indeed. It does not seem to be more secure than wget http://believe.me/key | sudo apt-key add - Or disabling gpg checks for the whole repository. In both situations we simply declare that we trust those who have set up the instructions. Still it seems to be better than no check. > > Please read http://deb.jones.dk/ and tell me which parts of that is > flawed or superfluous or wrong in other ways. That is a nice blueprint of exactly what I need and how it should be done! If I get it right (just from reading and guessing what it does) it assumes that your key is stored in debian-keyring. And this requires that you are trusted by the maintainers of debian-keyring. Then you can declare that you are trusted and others can verify before taking your word only. But how does your key get into debian-keyring? > > >> by xxxxxx is the long key id (don't encourage, short keys, they are >> flawed as malicous people can theoretical craft a pgp key that has the >> same (!) short key, like it already happened with Linus Torwalds' key. > > Yes, do that and also a range of other best practices: > https://help.riseup.net/en/security/message-security/openpgp/best-practices Interesting to learn about this issue. Most likely I would have done wrongly... BR and thanks, Nikolaus
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Community mailing list [email protected] http://lists.goldelico.com/mailman/listinfo.cgi/community http://www.tinkerphones.org
