ProGet's validation/verification of apt packages

Hi,

sorry if this is documented or clarified already (please supply a pointer in that case).

I am setting up ProGet as an apt mirror, and I try to understand the trust model. There are clear instructions on how to add (I guess it is) ProGet's .asc (dearmoured) to the downstream hosts. But how does ProGet verify the upstream? A standard ubuntu.sources seem to look something like

Types: deb
URIs: http://archive.ubuntu.com/ubuntu/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

and when setting up a connector in ProGet I had expected to have to add a key, but did not have to. Further, the URI is w/o tls, so using http://archive.ubuntu.com/ubuntu/ in the connector, and not adding a key, seems to make this open to mitm attacks. And notably the example in "Connectors for Debian (apt) feeds" (https://docs.inedo.com/docs/proget/feeds/debian#connectors-for-debian-apt-feeds) uses http, not https.

TL; DR basically I want to know the trust model, what kind of verifications done by ProGet, and how to best setup the upstream part of an apt-mirror feed.

Br,
Stefan

Thanks @rhessinger, that clarifies things, and I can move on. Best regards, Stefan

Using the default / built-in for everything.

When trying in InedoHub (on-line version) I get the error "Upgrade Blocked" "DBO privileges are required for the product's connection string to upgrade to this version."

Great, thanks!

Hi Steve, I fully understand. I will carry on using the existing format then. Thanks for the tip regarding use of pgutil!

Thanks,
Stefan

Hi Steve, thanks for responding so quickly.

I think deb822 is a newer format (than the "one-line-style" format), and it is preferred in the context I'm working in. There is some info in https://manpages.debian.org/stretch/apt/sources.list.5.en.html.

I have to focus on other stuff for some time now, so perhaps we can let this one rest until I can provide more input. But for some info, my /etc/apt/sources.list.d/ubuntu.sources file contains
Types: deb
URIs: http://sto1.clouds.archive.ubuntu.com/ubuntu/
Suites: noble noble-updates noble-backports
Components: main
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

I hope to be able to just replace the URI (and the key) to point at a ProGet feed connected to http://sto1.clouds.archive.ubuntu.com/ubuntu/ that I have setup. However it seems that curl http://sto1.clouds.archive.ubuntu.com/ubuntu/ returns something that I can not obtain from curling to the ProGet feed so I am not sure it will work. But let me investigate more and come back later.

Of course it is possible to work around and go back to .list files, buf my preference would be to keep using .sources.

Thanks,
Stefan

The instructions should be updated, instead of
&& sudo apt-key add "feedname.gpg"
something like
| gpg --dearmor | sudo tee /etc/apt/keyrings/feedname.gpg > /dev/null
should be used, and
echo "deb http..... should be something like
echo "deb [signed-by=/etc/apt/keyrings/feedname.gpg] http....
(if I have understood things correctly)

Recent Ubuntu releases use deb822 / ubuntu.sources for package handling. However, if I connect an deb822 source (e.g., http://sto1.clouds.archive.ubuntu.com/ubuntu/) to a feed, it seems that the output of that feed is not deb822 but rather according to the old format. Is there any plan to properly handle deb822 sources in ProGet?