Replies: 2 comments
-
We are in the process of transitioning to the CBL-Mariner image: https://github.com/microsoft/CBL-Mariner @darrentu, do we want to hold on making any changes here until that transition is complete? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We should never install any 3rd party key with apt-key add, because it would cause the system to accept signatures from the third-party keyholder on all other repositories configured on the system.
Explained in great detail here : https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key, relevant part below:
"The problem is not a question of appending a key to one big keyring file etc/apt/trusted.gpg vs manually putting single-key keyring files into the directory /etc/apt/trusted.gpg.d/. These two things are equivalent, and doing either one is a huge security risk.
The problem is that any key you add to either of the above is completely and unconditionally trusted by apt. This means that when installing any package from any repo (including the official distro repos), apt will happily accept the package being signed by any of those trusted keys (whether the key belongs to the repository the package is coming from or not). This weakens the assurance provided by the package signing mechanism against malicous packages being injected into the official Ubuntu mirrors network."
This recomandation is part of the Debian wiki for installing 3rd party software: https://wiki.debian.org/DebianRepository/UseThirdParty
"The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add."
Therefore the example line below
CloudShell/linux/base.Dockerfile
Line 79 in 2ba756a
should be modified with the following steps:
curl https://deriv.example.net/debian/deriv-archive-keyring.gpg | gpg --dearmor > /usr/share/keyrings/deriv-archive-keyring.gpg
Although not perfect the Microsoft documentation has an almost accurate example of how to install az-cli using the apt package manager: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt#option-2-step-by-step-installation-instructions.
The example is not 100% correct because the key is placed in /etc/apt/trusted.gpg.d/ meaning it will be trusted for all other repositories whereas it should be placed anywhere else on the file system, as per Debian wiki suggestion /usr/share/keyrings/ would be preferred.
Beta Was this translation helpful? Give feedback.
All reactions