Skip to content

Teleport Install scripts: use /etc/apt/keyrings/ when adding Teleport's public key for DEB packages #50273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 15, 2025
Merged

Teleport Install scripts: use /etc/apt/keyrings/ when adding Teleport's public key for DEB packages #50273

merged 2 commits into from
Jan 15, 2025

Conversation

marcoandredinis
Copy link
Contributor

@marcoandredinis marcoandredinis commented Dec 16, 2024
edited
Loading

Same as #50033

Demo:

root@cd3db2db3032:/# cat /etc/apt/sources.list.d/teleport.list
deb [signed-by=/etc/apt/trusted.gpg.d/teleport-archive-keyring.asc]             https://apt.releases.teleport.dev/ubuntu noble stable/v17
root@cd3db2db3032:/# cat /etc/apt/trusted.gpg.d/teleport-archive-keyring.asc | head
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF+R3LYBEADOEO9i3Dm5rEAiXONchX3M54QzZX0yHArSpYQ5aJDdJRQbqzqT
+e2os8NpSjVDZFNz5ul8xkZsnCLX7pgrAYqq+vsXL4bMWDP96S6PjfVIAyV4ylv0
DBReMdkaAZb/IoPhkSTT+ayw4eGEtUz/k7mxMpQ9ob7qFtGs8aNVT/An5LfFR1Lx
9WOlFPPIAJKcHVIyRD+4EoCSn1R1c61UHFIRatbAnwOLs3iz4/GU+w9wdbuWbDuk
nGdG0Lmlzp42HHxeJJFQlOTed97+trktvAiuzA/0lbQHEcWvxfWAy5//cjORp+H3
RGLp8fJ+fFRAyA4WP6O3wIC4gAAgsEn8WpVT8wZYlLMRf694SeawBtyUSlcsn9i1
LuOh5akOY3iQtH01+rMBjOaMkCmpT2nQaUH+HS2iZBddBHdAMMQtj2UolMRbUSxH
+GJczes1t9/WH3vbvh5ESMOy0fH14Tjo+9yQYa4EhFNNloAG10DYFLlCj47fWDdS
root@cd3db2db3032:/# apt list teleport -a
Listing... Done
teleport/noble,now 17.0.5 arm64 [installed]
teleport/noble 17.0.4 arm64
teleport/noble 17.0.3 arm64
teleport/noble 17.0.2 arm64
teleport/noble 17.0.1 arm64

@github-actions github-actions bot requested review from avatus and gzdunek December 16, 2024 12:13
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-50273.d3pp5qlev8mo18.amplifyapp.com

gzdunek
gzdunek reviewed Dec 31, 2024
View reviewed changes
Copy link
Contributor

@gzdunek gzdunek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a full understanding of this topic, but here they say that adding keys to /etc/apt/trusted.gpg.d/ is insecure https://stackoverflow.com/a/71384057.
What do you think of it?

@marcoandredinis marcoandredinis mentioned this pull request Jan 6, 2025
Merged
@marcoandredinis marcoandredinis force-pushed the marco/update_apt_location_scripts branch from 2b536c1 to bbf06ea Compare January 6, 2025 15:42
@marcoandredinis
Copy link
Contributor Author

I don't have a full understanding of this topic, but here they say that adding keys to /etc/apt/trusted.gpg.d/ is insecure https://stackoverflow.com/a/71384057. What do you think of it?

I've changed the destination folder to be etc/apt/keyrings
I've also added a comment in the original PR.

Thank you for bringing this up. I tried to explain the downsides of this approach but didn't actually came up with a better solution.

@marcoandredinis marcoandredinis changed the title Teleport Install scripts: use /etc/apt/trusted.gpg.d/ when adding Teleport's public key for DEB packages Teleport Install scripts: use /etc/apt/keyrings/ when adding Teleport's public key for DEB packages Jan 6, 2025
gzdunek
gzdunek approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@gzdunek gzdunek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into this, we should be safer now.

@marcoandredinis marcoandredinis added this pull request to the merge queue Jan 15, 2025
Merged via the queue into master with commit dd044f1 Jan 15, 2025
46 checks passed
@marcoandredinis marcoandredinis deleted the marco/update_apt_location_scripts branch January 15, 2025 15:33
@public-teleport-github-review-bot
Copy link

@marcoandredinis See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed
branch/v17 Create PR

@marcoandredinis marcoandredinis mentioned this pull request Jan 15, 2025
Merged
mvbrock pushed a commit that referenced this pull request Jan 18, 2025
@marcoandredinis @mvbrock
Teleport Install scripts: use /etc/apt/keyrings/ when adding Telepo…
6758fed 
…rt's public key for DEB packages (#50273)

* Teleport Install scripts: use `/etc/apt/trusted.gpg.d/` for DEB packages

* use etc apt keyrings for storing the keys
carloscastrojumo pushed a commit to carloscastrojumo/teleport that referenced this pull request Feb 19, 2025
@marcoandredinis @carloscastrojumo
Teleport Install scripts: use /etc/apt/keyrings/ when adding Telepo…
ddfe0c3 
…rt's public key for DEB packages (gravitational#50273)

* Teleport Install scripts: use `/etc/apt/trusted.gpg.d/` for DEB packages

* use etc apt keyrings for storing the keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avatus avatus avatus approved these changes

@gzdunek gzdunek gzdunek approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/sm ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marcoandredinis @avatus @gzdunek