Apt repository is not signed

[zr40]

Currently, the instructions to set up the apt repository instruct the user to specify [trusted=yes]. However, this allows a malicious actor to compromise the system if they have control over the repository.

When the repository properly uses a GPG key, only packages signed by the author's private key can be installed. But when [trusted=yes] is specified, there is no such verification. If the web server hosting the repository or its file system were to be compromised, attackers can add malicious versions of system packages to the repository, and there would be no way for apt to reject these packages since the repository is configured to be entirely trusted. If the user has configured unattended upgrades, these malicious versions may even be installed without user confirmation.

Please make sure that the repository is properly signed.

[xfzv]

Any news? Sounds like a serious security issue.

[zr40]

The repository is still not signed, so no news here.

Fortunately, it's no longer necessary to use this unsigned repository. Debian and Ubuntu have started packaging miniflux themselves. Starting with Debian trixie and Ubuntu 24.04, you can just run apt install miniflux to get miniflux directly from Debian/Ubuntu's main archives.