Ubuntu: install only a signed verified deb package

transient_loop asked:

What the final goal is:
Install a given package securely for a series of servers.

We have servers running on different cloud data centers.
We install our app on them as deb file.
Currently we upload the updates as deb files via an ansible script.
This is slow as the "master" node needs to update all the machines.

We think it would be nicer if we could just issue sudo apt update <package> for every node.

But what about security?
The repo server would need to be on the internet.

Thus, we would need to make sure that the package installs securely.
deb files can be signed, but afaik dpkg-verify only verifies that the signature is correct. Thus a malicious but correctly signed package would pass the verify check.

So could we

  • Install from an https repo server
  • Install only signed packages signed with a specific key only (for our app deb only)

Another approach is acceptable as long as security is not compromised.

My answer:

If you use apt install or the ansible apt module to install packages, then the repo metadata must be signed by a key known to your system, such as the Ubuntu distribution signing keys, or any keys you explicitly add with the apt_key ansible module. Anything signed by an unknown key, or not signed, would be rejected.

So you can just create an apt repository to hold your packages, sign its Release file with your own GPG key, and distribute that public key to your servers.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.