![]() You can use apt-cache policy to inspect the current pin priorities, and if needed you can adjust pinning based on origin to achieve this effect. Apt's default pinning rules give higher priority to official distro repos, which (in conjunction with proper key management) offers some protection against third-party repos replacing distro-provided packages. What we want to do instead is configure apt to accept signatures from a third-party repository only on packages being installed from that repository - no cross-signing. This weakens the assurance provided by the package signing mechanism against malicous packages being injected into the official Ubuntu mirrors network. This means that when installing any package from any repo (including the official distro repos), apt will happily accept the package being signed by any of those trusted keys (whether the key belongs to the repository the package is coming from or not). The problem is that any key you add to either of the above is completely and unconditionally trusted by apt. These two things are equivalent, and doing either one is a huge security risk. ![]() ![]() The problem is not a question of appending a key to one big keyring file etc/apt/trusted.gpg vs manually putting single-key keyring files into the directory /etc/apt//. You need to know why apt-key add is deprecatedĪll of the answers so far work around the symptom ("Don't use apt-key add") but fail to address the actual problem that led to apt-key add being deprecated.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |