Pour sécuriser l’installation des logiciels, l’outil apt requiert des clés d’authentification des logiciels
Clés des logiciels Debian.
Elles sont fourni à l’installation par le paquet debian-archive-keyring
root@debian:~# ls -alrt /usr/share/keyrings
-rw-r--r-- 1 root root 2263 25 févr. 2021 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 7452 25 févr. 2021 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 7443 25 févr. 2021 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 36873 25 févr. 2021 debian-archive-removed-keys.gpg
-rw-r--r-- 1 root root 55625 25 févr. 2021 debian-archive-keyring.gpg
-rw-r--r-- 1 root root 2332 25 févr. 2021 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 8141 25 févr. 2021 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 8132 25 févr. 2021 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 2453 25 févr. 2021 debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8709 25 févr. 2021 debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 8700 25 févr. 2021 debian-archive-bullseye-automatic.gpg
root@debian:~# ls -alrt /etc/apt/trusted.gpg.d
-rw-r--r-- 1 root root 2263 3 sept. 2017 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 7452 3 sept. 2017 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 7443 3 sept. 2017 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 2332 23 avril 2019 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 8141 23 avril 2019 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 8132 23 avril 2019 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 2453 25 févr. 2021 debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8709 25 févr. 2021 debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 8700 25 févr. 2021 debian-archive-bullseye-automatic.gpg
Cas d’utilisation d’un dépots de logiciels non Debian, logiciels tiers.
Spotify
La clé est disponible sur le site de Spotify
Méthode 1
Bien que déprécié l’outil apt-key fonctionne toujours: Inscription de la clé ( attention ne pas omettre le tiret final après add)
curl -sS https://download.spotify.com/debian/pubkey_0D811D58.gpg | sudo apt-key --keyring /etc/apt/trusted.gpg.d/spotify.gpg add -Noter le message indiquant que apt-key est déprécié
[sudo] Mot de passe de :
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Méthode 2 , avec l’outil gpg
Récupérer la clé du site
wget -O /tmp/0D811D58.gpg https://download.spotify.com/debian/pubkey_0D811D58.gpgConvertir dans un trousseau temporaire
sudo gpg --no-default-keyring --keyring /tmp/spotify-keyring.gpg --import /tmp/0D811D58.gpggpg: le trousseau local « /tmp/spotify-keyring.gpg » a été créé
gpg: clef D1742AD60D811D58 : clef publique « Spotify Public Repository Signing Key <tux@spotify.com> » importée
gpg: Quantité totale traitée : 1
gpg: importées : 1
Créer une clé valide pour apt
sudo gpg --no-default-keyring --keyring /tmp/spotify-keyring.gpg --export --output /etc/apt/trusted.gpg.d/spotify.gpgVérifications.
/etc/apt/trusted.gpg.d$ ls -alrt
total 88
-rw-r--r-- 1 root root 2263 3 sept. 2017 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 7452 3 sept. 2017 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 7443 3 sept. 2017 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 2332 23 avril 2019 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 8141 23 avril 2019 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 8132 23 avril 2019 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 2453 25 févr. 2021 debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8709 25 févr. 2021 debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 8700 25 févr. 2021 debian-archive-bullseye-automatic.gpg
drwxr-xr-x 7 root root 4096 3 sept. 14:00 ..
-rw-r--r-- 1 root root 1184 4 sept. 08:05 spotify.gpg
/etc/apt/trusted.gpg.d$ file spotify.gpg
spotify.gpg: PGP/GPG key public ring (v4) created Tue Sep 8 13:35:47 2020 RSA (Encrypt or Sign) 4096 bits MPI=0xd0ff0bba75deda92.../etc/apt/trusted.gpg.d$ apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
------------------------------------------------------------
pub rsa4096 2021-01-17 [SC] [expire : 2029-01-15]
1F89 983E 0081 FDE0 18F3 CC96 73A4 F27B 8DD4 7936
uid [ inconnue] Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub rsa4096 2021-01-17 [S] [expire : 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
---------------------------------------------------------------------
pub rsa4096 2021-01-17 [SC] [expire : 2029-01-15]
AC53 0D52 0F2F 3269 F5E9 8313 A484 4904 4AAD 5C5D
uid [ inconnue] Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
sub rsa4096 2021-01-17 [S] [expire : 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
---------------------------------------------------------
pub rsa4096 2021-02-13 [SC] [expire : 2029-02-11]
A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793
uid [ inconnue] Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expire : 2027-04-12]
80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
uid [ inconnue] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expire : 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expire : 2027-04-12]
5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA
uid [ inconnue] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expire : 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub rsa4096 2019-02-05 [SC] [expire : 2027-02-03]
6D33 866E DD8F FA41 C014 3AED DCC9 EFBF 77E1 1517
uid [ inconnue] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-----------------------------------------------------------
pub rsa4096 2017-05-22 [SC] [expire : 2025-05-20]
E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98
uid [ inconnue] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expire : 2025-05-20]
/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub rsa4096 2017-05-22 [SC] [expire : 2025-05-20]
6ED6 F5CB 5FA6 FB2F 460A E88E EDA0 D238 8AE2 2BA9
uid [ inconnue] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expire : 2025-05-20]
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
--------------------------------------------------------
pub rsa4096 2017-05-20 [SC] [expire : 2025-05-18]
067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500
uid [ inconnue] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/google.gpg
---------------------------------
pub dsa1024 2007-03-08 [SC]
4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
uid [ inconnue] Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub elg2048 2007-03-08 [E]
pub rsa4096 2016-04-12 [SC]
EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid [ inconnue] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096 2019-07-22 [S] [expire : 2022-07-21]
/etc/apt/trusted.gpg.d/spotify.gpg
----------------------------------
pub rsa4096 2020-09-08 [SC] [expire : 2021-12-02]
8FD3 D9A8 D380 0305 A9FF F259 D174 2AD6 0D81 1D58
uid [ inconnue] Spotify Public Repository Signing Key <tux@spotify.com>
Nouvelle norme: signature du dépôt dans les fichiers sources
Pour satisfaire aux recommandations de sécurité on peut signer les dépôts directement dans le fichier sources.list
Référence https://wiki.debian.org/DebianRepository/UseThirdParty
/etc/apt/sources.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-security-automatic.gpg] https://cdn-aws.deb.debian.org/debian-security bullseye-security contrib main non-free
/etc/apt/sources.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-stable.gpg] https://cdn-aws.deb.debian.org/debian/ bullseye contrib main non-free
/etc/apt/sources.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://cdn-aws.deb.debian.org/debian/ bullseye-proposed-updates contrib main non-free
/etc/apt/sources.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://cdn-aws.deb.debian.org/debian/ bullseye-updates contrib main non-free
/etc/apt/sources.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://cdn-aws.deb.debian.org/debian/ bullseye-backports contrib main non-free
/etc/apt/sources.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://cdn-aws.deb.debian.org/debian/ bookworm contrib main non-free
/etc/apt/sources.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://cdn-aws.deb.debian.org/debian/ sid contrib main non-free
/etc/apt/sources.list.d/01-experimental.list:deb [signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://cdn-aws.deb.debian.org/debian/ experimental main
Utilisation du nouveau format de fichier source pour Spotify
Créer le fichier /etc/apt/sources.list.d/spotify.sources
Types: deb
URIs: http://repository.spotify.com
Suites: stable
Architectures: amd64
Components: non-free
Signed-By: /usr/share/keyrings/spotify.gpgAinsi je ne fais plus aveuglément confiance à aucun dépôt, j’ai tout effacé dans trusted
debian:/etc/apt/trusted.gpg.d$ ls -alrt
total 8
drwxr-xr-x 2 root root 4096 5 sept. 12:59 .
drwxr-xr-x 7 root root 4096 5 sept. 18:02 ..
La clé du dépot tiers, spotify, a été déplacée dans /usr/share/keyrings
root@debian:~# ls -alrt /usr/share/keyrings/spotify.gpg
-rw-r--r-- 1 root root 1184 5 sept. 12:57 /usr/share/keyrings/spotify.gpgSécurisation des dépôts tiers
Pour éviter une installation de paquet non voulu issu d’un dépôt tiers on ajoute un fichier préférence d’étiquettage.
Créer le fichier /etc/apt/preferences.d/spotify
avec le contenu
Package: *
Pin: origin repository.spotify.com
Pin-Priority: 1
Package: spotify-client
Pin: origin repository.spotify.com
Pin-Priority: 500Seul le paquet spotify-client sera géré par apt.
Apt-key déprécié
A partir de Debian 12 Bookworm apt-key ne sera plus utilisé
Voir https://manpages.debian.org/unstable/apt/apt-key.8.en.html
DEPRECATION
Except for using apt-key del in maintainer scripts, the use of apt-key is deprecated. This section shows how to replace existing use of apt-key.
If your existing use of apt-key add looks like this:
wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add –
Then you can directly replace this with (though note the recommendation below):
wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc
Make sure to use the « asc » extension for ASCII armored keys and the « gpg » extension for the binary OpenPGP format (also known as « GPG key public ring »). The binary OpenPGP format works for all apt versions, while the ASCII armored format works for apt version >= 1.4.
Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages. When using a deb822-style sources.list, and with apt version >= 2.4, the Signed-By option can also be used to include the full ASCII armored keyring directly in the sources.list without an additional file.
Debidouille 
1 commentaire
Les commentaires sont désactivés.