Ubuntu package key provided by insecure HTTP, not available via HTTPS

Question

Ubuntu package key provided by insecure HTTP, not available via HTTPS

Opened this issue 4 years ago · 0 comments

https://www.playonlinux.com/en/download.html
for Ubuntu instructs to:
wget -q "http://deb.playonlinux.com/public.gpg" -O- | sudo apt-key add -

This is insecure HTTP and vulnerable to a MITM attacker replacing the keys with their own. It opens the system to an attacker installing arbitrary packages signed by themselves.

https://deb.playonlinux.com/public.gpg
is 404 (a webserver is however listening with a valid Let's Encrypt certificate).

Expected behavior

wget -q "https://deb.playonlinux.com/public.gpg" -O- | sudo apt-key add -

Actual behavior

$ wget "https://deb.playonlinux.com/public.gpg"
--2020-10-06 14:09:33--  https://deb.playonlinux.com/public.gpg
Resolving deb.playonlinux.com (deb.playonlinux.com)... 2001:41d0:2:37ca::1e, 51.254.83.230
Connecting to deb.playonlinux.com (deb.playonlinux.com)|2001:41d0:2:37ca::1e|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2020-10-06 14:09:33 ERROR 404: Not Found.

(also via IPv4 to 51.254.83.230)

Steps to reproduce

Try to install PlayOnLinux on Ubuntu

System information

Ubuntu 18.04, Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0