0

What the final goal is: Install a given package securely for a series of servers.

We have servers running on different cloud data centers. We install our app on them as deb file. Currently we upload the updates as deb files via an ansible script. This is slow as the "master" node needs to update all the machines.

We think it would be nicer if we could just issue sudo apt update <package> for every node.

But what about security? The repo server would need to be on the internet.

Thus, we would need to make sure that the package installs securely. deb files can be signed, but afaik dpkg-verify only verifies that the signature is correct. Thus a malicious but correctly signed package would pass the verify check.

So could we

  • Install from an https repo server
  • Install only signed packages signed with a specific key only (for our app deb only)

Another approach is acceptable as long as security is not compromised.

transient_loop
  • 459
  • 1
  • 4
  • 11

1 Answers1

2

If you use apt install or the ansible apt module to install packages, then the repo metadata must be signed by a key known to your system, such as the Ubuntu distribution signing keys, or any keys you explicitly add with the apt_key ansible module. Anything signed by an unknown key, or not signed, would be rejected.

So you can just create an apt repository to hold your packages, sign its Release file with your own GPG key, and distribute that public key to your servers.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • This sounds like what I want, apart from being pretty simple. Are you saying hat, because the access to update the servers is secured via the ansible script and the ssh key used to connect, there is no actual need to do anything else other than sign the release and run `apt install`? – transient_loop Jun 13 '20 at 21:11
  • 1
    @transient_loop Creating and updating the repo can be automated easily enough, either via ansible or via whatever is deploying your software builds. But yes, if you put something in the repo then all you have to do is apt install (or upgrade if you're upgrading it). – Michael Hampton Jun 13 '20 at 21:14
  • paranoid follow up question though (which had prompted me to ask the question in the first place): Assume the worst case that someone hacked the repo server - all servers would then silently install a compromised version, if the hacker signed the malicious package correctly with an own key. So would it be possible that the package (and only that package) would be installed from a specific signature only? – transient_loop Jun 13 '20 at 21:28
  • @transient_loop How would the hacker get a copy of your private key? You would not keep that on the repo server. – Michael Hampton Jun 13 '20 at 21:31
  • of course not... – transient_loop Jun 13 '20 at 21:46