Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet's validation/verification of apt packages
-
Hi,
sorry if this is documented or clarified already (please supply a pointer in that case).
I am setting up ProGet as an apt mirror, and I try to understand the trust model. There are clear instructions on how to add (I guess it is) ProGet's .asc (dearmoured) to the downstream hosts. But how does ProGet verify the upstream? A standard ubuntu.sources seem to look something like
Types: deb URIs: http://archive.ubuntu.com/ubuntu/ Suites: noble noble-updates noble-backports Components: main restricted universe multiverse Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpgand when setting up a connector in ProGet I had expected to have to add a key, but did not have to. Further, the URI is w/o tls, so using
http://archive.ubuntu.com/ubuntu/in the connector, and not adding a key, seems to make this open to mitm attacks. And notably the example in "Connectors for Debian (apt) feeds" (https://docs.inedo.com/docs/proget/feeds/debian#connectors-for-debian-apt-feeds) useshttp, nothttps.TL; DR basically I want to know the trust model, what kind of verifications done by ProGet, and how to best setup the upstream part of an apt-mirror feed.
Br,
Stefan
-
ProGet relies on SSL/HTTPS, so instead of connecting to
http://archive.ubuntu.com/ubuntu/you should usehttps://archive.ubuntu.com/ubuntu/I just updated the docs you found to use
httpsinstead ofhttp- thanks for pointing that out.Thanks,
Steve
-
Thank you Steve!
I also noted that the defaults in setting up a connection proposes http - perhaps something to update eventually as well.
Given the reliance on SSL/HTTPS, can you tell what verification ProGet does in terms of certificate, certificate chain and hostname (and what else that can be verified - I'm no expert, but want to make sure someone cannot pretend to be archive.ubuntu.com and get through with it).
Cheers,
Stefan
-
SSL/HTTPS is all handled at the operating-system level.
When there are SSL/HTTPS issues then you will see some kind of OS-level error in ProGet. You can see what these are like by connecting to one of the "bad" options at https://badssl.com/ - the connection will be refused.
Thanks,
Steve
-
