#1476 closed defect (invalid)
SecureApt
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | documentation | Version: | 1.13.x |
| Keywords: | Cc: | ||
| uname -a: | |||
| nginx -V: | 1.13.5 | ||
Description
Current approach is vulnerable to MITM attack!
Please download this key from our web site, and add it to the apt program keyring with the following command...
https://nginx.org/keys/nginx_signing.key
sudo apt-get install apt-transport-https deb https://nginx.org/packages/mainline/debian/ codename nginx
Change History (3)
comment:1 by , 6 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 6 years ago
What about this method?
sudo apt-key adv --keyserver apt-mo.trafficmanager.net --recv-keys 417A0893
- keyserver.opensuse.org
- keyserver.ubuntu.com
- ha.pool.sks-keyservers.net
comment:3 by , 6 years ago
In no particular order:
- Never use short PGP key ids to identify keys, they are not secure. See https://evil32.com/ for details.
- Writing key ids is no different than providing keys, you have to verify keys anyway.
Note:
See TracTickets
for help on using tickets.
Quoting the "Signatures" section of the same page:
Also, the link in question will be to a key on a https site if you'll open the page in question via https. If you prefer to trust certificate authorities instead of PGP, consider using https site instead.
Note well that there is no need to use https to download packages. A verified PGP key is enough.