What the final goal is:
Install a given package securely for a series of servers.
We have servers running on different cloud data centers.
We install our app on them as
Currently we upload the updates as
deb files via an ansible script.
This is slow as the "master" node needs to update all the machines.
We think it would be nicer if we could just issue
sudo apt update <package> for every node.
But what about security?
The repo server would need to be on the internet.
Thus, we would need to make sure that the package installs securely.
deb files can be signed, but afaik
dpkg-verify only verifies that the signature is correct. Thus a malicious but correctly signed package would pass the verify check.
So could we
- Install from an https repo server
- Install only signed packages signed with a specific key only (for our app
Another approach is acceptable as long as security is not compromised.
If you use
apt install or the ansible
apt module to install packages, then the repo metadata must be signed by a key known to your system, such as the Ubuntu distribution signing keys, or any keys you explicitly add with the
apt_key ansible module. Anything signed by an unknown key, or not signed, would be rejected.
So you can just create an apt repository to hold your packages, sign its Release file with your own GPG key, and distribute that public key to your servers.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.