Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Http when adding an apt key unsafe? #101

Open
queglay opened this issue Aug 28, 2020 · 1 comment
Open

Http when adding an apt key unsafe? #101

queglay opened this issue Aug 28, 2020 · 1 comment

Comments

@queglay
Copy link

queglay commented Aug 28, 2020

This is more a question, but these lines below appear unsafe to me, are they?

 && apt-key adv --fetch-keys http://www.webmin.com/jcameron-key.asc \
 && echo "deb http://download.webmin.com/download/repository sarge contrib"

Adding a key and repository without https opens up the possibility of installing packages from a MITM attack.
@thoschworks
Copy link

After looking into it, I think

  1. changing the url for the key is easy
  2. changing url for the repository is not simple or probably impossible without changing the structure.

Using https for retrieving the key is simple and changes in two line are necessary:

 && DEBIAN_FRONTEND=noninteractive apt-get install -y gnupg ca-certificates \
 && apt-key adv --fetch-keys https://www.webmin.com/jcameron-key.asc \

The additional package 'ca-certificates' in line 3 is necessary to verify the certificate.

And this is the point which -in my opinion- breaks the two-stage-approach, if the url of the repository is changed to https:

  • In line 19 of Dockerfile /etc/apt/sources from stage 1 is copied to stage 2.
  • In line 22 the package informations are updated via apt-get update.
  • This will fail, because there is no certificate information for https://download.webmin.com in this stage. But without this step it is not possible to add ca-certificatesto this stage (which is needed for running apt-get update without error, which is needed to install ca-certificates…).

I think using https only for retrieving the key should be o.k.:

  1. The key is retrieved over a secured connection
  2. The packages are retrieved over an unprotected connection, but they are checked with the key.

If you look into the /etc/apt/source.list on your system, the urls for the repositories from Debian or Ubuntu are all "only" http.

If the url for the repository should also be switched to https then the concept have to be switched to one stage and the following changes have to be made:

  1. remove in line 1 from AS …
  2. change line 4+5 as shown above
  3. change the url in line 5
  4. remove line 8
  5. remove line 17-19
  6. some refactoring to make the code nice again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thoschworks @queglay