docker-bind icon indicating copy to clipboard operation
docker-bind copied to clipboard
verified publisher icon sameersbn

Http when adding an apt key unsafe?

Open queglay opened this issue 5 years ago • 1 comments

This is more a question, but these lines below appear unsafe to me, are they?

 && apt-key adv --fetch-keys http://www.webmin.com/jcameron-key.asc \
 && echo "deb http://download.webmin.com/download/repository sarge contrib"

Adding a key and repository without https opens up the possibility of installing packages from a MITM attack.

queglay avatar Aug 28 '20 10:08 queglay

After looking into it, I think

  1. changing the url for the key is easy
  2. changing url for the repository is not simple or probably impossible without changing the structure.

Using https for retrieving the key is simple and changes in two line are necessary:

 && DEBIAN_FRONTEND=noninteractive apt-get install -y gnupg ca-certificates \
 && apt-key adv --fetch-keys https://www.webmin.com/jcameron-key.asc \

The additional package 'ca-certificates' in line 3 is necessary to verify the certificate.

And this is the point which -in my opinion- breaks the two-stage-approach, if the url of the repository is changed to https:

  • In line 19 of Dockerfile /etc/apt/sources from stage 1 is copied to stage 2.
  • In line 22 the package informations are updated via apt-get update.
  • This will fail, because there is no certificate information for https://download.webmin.com in this stage. But without this step it is not possible to add ca-certificatesto this stage (which is needed for running apt-get update without error, which is needed to install ca-certificates…).

I think using https only for retrieving the key should be o.k.:

  1. The key is retrieved over a secured connection
  2. The packages are retrieved over an unprotected connection, but they are checked with the key.

If you look into the /etc/apt/source.list on your system, the urls for the repositories from Debian or Ubuntu are all "only" http.

If the url for the repository should also be switched to https then the concept have to be switched to one stage and the following changes have to be made:

  1. remove in line 1 from AS …
  2. change line 4+5 as shown above
  3. change the url in line 5
  4. remove line 8
  5. remove line 17-19
  6. some refactoring to make the code nice again

thoschworks avatar Nov 20 '20 18:11 thoschworks