Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#1476 closed defect (invalid)

SecureApt

Reported by: Sataur@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.13.x
Keywords: Cc:
uname -a:
nginx -V: 1.13.5

Description

Current approach is vulnerable to MITM attack!

Please download this key from our web site, and add it to the apt program keyring with the following command...

https://nginx.org/keys/nginx_signing.key

sudo apt-get install apt-transport-https

deb https://nginx.org/packages/mainline/debian/ codename nginx

Change History (3)

comment:1 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

Quoting the "Signatures" section of the same page:

It is highly advised to additionally verify the authenticity of the downloaded PGP key. PGP has the “Web of Trust” concept, when a key is signed by someone else’s key, that in turn is signed by another key and so on. It often makes possible to build a chain from an arbitrary key to someone’s key who you know and trust personally, thus verify the authenticity of the first key in a chain. This concept is described in details in GPG Mini Howto. Our keys have enough signatures, and their authenticity is relatively easy to check.

Also, the link in question will be to a key on a https site if you'll open the page in question via https. If you prefer to trust certificate authorities instead of PGP, consider using https site instead.

Note well that there is no need to use https to download packages. A verified PGP key is enough.

comment:2 by Sataur@…, 7 years ago

What about this method?

sudo apt-key adv --keyserver apt-mo.trafficmanager.net --recv-keys 417A0893
  • keyserver.opensuse.org
  • keyserver.ubuntu.com
  • ha.pool.sks-keyservers.net
Last edited 7 years ago by Sataur@… (previous) (diff)

comment:3 by Maxim Dounin, 7 years ago

In no particular order:

  • Writing key ids is no different than providing keys, you have to verify keys anyway.
Note: See TracTickets for help on using tickets.