dogehouse
dogehouse copied to clipboard
benawad
GPG key for Debian repository(PPA) should be served over HTTPS
As of a couple days ago, I've taken notice to the fact that the GPG key used to sign the Debian repository is served over HTTP.
Background
GPG is like HTTPS for a Debian repo - it's what validates that the content received from a server is actually from the server.
If the GPG key itself is modified during download(which is made possible due to the lack of HTTPS), this would allow an attacker to modify other contents in a repo such as the Release file, Packages file, and all debs, and APT on the client wouldn't complain, and would just go about installing the package.
In the current state that things are usually done, a GPG key also gives that same level of privilege to all other repositories on a system served over HTTP. This could have implications outside the DogeHouse repository, as a modified GPG key will allow an attacker to modify packages on other repositories served over HTTP while being delivered to the client, such as the Ubuntu and Debian repositories.
Fix
My proposal is to simply serve the repository, or the GPG key at minimum, over HTTPS. It takes a matter of seconds to set up with Let's Encrypt, and there aren't many other reasons not to.
A lot of big-name players in the server space also serve the contents for their Debian repositories over HTTPS, including:
Docker: https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository Atom Text Editor: https://flight-manual.atom.io/getting-started/sections/installing-atom/ Jenkins CI: https://pkg.jenkins.io/debian-stable/
If I remember correctly, there is a Cloudflare setting where Cloudflare will be responsible for providing SSL to the client (while still working with HTTP servers).
