Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet's validation/verification of apt packages



  • Hi,

    sorry if this is documented or clarified already (please supply a pointer in that case).

    I am setting up ProGet as an apt mirror, and I try to understand the trust model. There are clear instructions on how to add (I guess it is) ProGet's .asc (dearmoured) to the downstream hosts. But how does ProGet verify the upstream? A standard ubuntu.sources seem to look something like

    Types: deb
    URIs: http://archive.ubuntu.com/ubuntu/
    Suites: noble noble-updates noble-backports
    Components: main restricted universe multiverse
    Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
    

    and when setting up a connector in ProGet I had expected to have to add a key, but did not have to. Further, the URI is w/o tls, so using http://archive.ubuntu.com/ubuntu/ in the connector, and not adding a key, seems to make this open to mitm attacks. And notably the example in "Connectors for Debian (apt) feeds" (https://docs.inedo.com/docs/proget/feeds/debian#connectors-for-debian-apt-feeds) uses http, not https.

    TL; DR basically I want to know the trust model, what kind of verifications done by ProGet, and how to best setup the upstream part of an apt-mirror feed.

    Br,
    Stefan


  • inedo-engineer

    Hi @stefan-hakansson_8938,

    ProGet relies on SSL/HTTPS, so instead of connecting to http://archive.ubuntu.com/ubuntu/ you should use https://archive.ubuntu.com/ubuntu/

    I just updated the docs you found to use https instead of http - thanks for pointing that out.

    Thanks,
    Steve



  • Thank you Steve!

    I also noted that the defaults in setting up a connection proposes http - perhaps something to update eventually as well.

    Given the reliance on SSL/HTTPS, can you tell what verification ProGet does in terms of certificate, certificate chain and hostname (and what else that can be verified - I'm no expert, but want to make sure someone cannot pretend to be archive.ubuntu.com and get through with it).

    Cheers,
    Stefan


  • inedo-engineer

    Hi @stefan-hakansson_8938 ,

    SSL/HTTPS is all handled at the operating-system level.

    When there are SSL/HTTPS issues then you will see some kind of OS-level error in ProGet. You can see what these are like by connecting to one of the "bad" options at https://badssl.com/ - the connection will be refused.

    Thanks,
    Steve



  • Hi Steve, thank you!

    I will try badssl.com out and see how ProGet reacts.

    Thank you again,
    Stefan


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation