Discussion:
Bug#944102: create sources.list with signed-by
Add Reply
Timo Weingärtner
2019-11-04 11:40:01 UTC
Reply
Permalink
Package: debian-installer
Severity: normal
Tags: d-i

Hallo,

debian-installer should create /etc/apt/sources.list (or /etc/apt/
sources.list.d/debian.sources) with:

[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]

With the current implementation any owner of a 3rd-party repository installed
into /etc/apt/trusted* could impersonate the official Debian repositories.

(I have not investigated if per-release keyrings from debian-archive-keyring
can be used reliably instead, but there is no keyring for bullseye right now.)


GrÌße
Timo
Osamu Aoki
2023-08-05 14:40:01 UTC
Reply
Permalink
Hi,

I think this proposal to use "signed-by" is a good idea.

But if you ever make such support, please consider to use deb822 style file
instead of one-line old style.

This way, we can avoid creating a source list configuration file with insanely
long line can be avoided. (I don't know which key is the best choice though.)

My local /etc/apt/sources.list.d/debian.sources


types: deb deb-src
uris: http://deb.debian.org/debian/
suites: bookworm
components: main non-free-firmware contrib non-free
signed-by: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
#Signed-By: /usr/share/keyrings/debian-archive-bookworm-stable.gpg
#Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

types: deb deb-src
uris: http://security.debian.org/debian-security/
suites: bookworm-security
components: main non-free-firmware contrib non-free
signed-by: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
#Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg


Osamu
Richard Lewis
2024-11-16 15:00:01 UTC
Reply
Permalink
Post by Osamu Aoki
Hi,
I think this proposal to use "signed-by" is a good idea.
Me too!
Post by Osamu Aoki
But if you ever make such support, please consider to use deb822 style file
instead of one-line old style.
Me too!

The following debian.sources file might be a good default?

## stable
Types: deb
Suites: bookworm
Components: main contrib non-free-firmware
URIs: https://deb.debian.org/debian
Signed-By: /etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc
/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc

## point releases
Types: deb
Suites: bookworm-updates
Components: main contrib non-free-firmware
URIs: https://deb.debian.org/debian
Signed-By: /etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc
/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc

## security
Types: deb
Suites: bookworm-security
Components: main contrib non-free-firmware
URIs: https://deb.debian.org/debian-security
Signed-By: /etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.asc
Loading...