[BUG] Debian installation instructions highly insecure

Question

[BUG] Debian installation instructions highly insecure

Opened this issue 4 years ago · 7 comments

The docs specify following instruction how to install rspamd on debian.

apt-get install -y lsb-release wget # optional
CODENAME=`lsb_release -c -s`
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list
apt-get update
apt-get --no-install-recommends install rspamd

This is highly insecure as it is adding non-Debian keys to the global trusted keyring - and will stop working in the near future. See

Correct instructions are:

sudo apt-get install -y lsb-release wget # optional
CODENAME=`lsb_release -c -s`
sudo mkdir -p /etc/apt/keyrings
wget -O- https://rspamd.com/apt-stable/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/rspamd.gpg > /dev/null
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main" | sudo tee /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main"  | sudo tee -a /etc/apt/sources.list.d/rspamd.list
sudo apt-get update
sudo apt-get --no-install-recommends install rspamd

Answer 1 · 2021-03-12T17:06:15.000Z

Will it work for Ubuntu as well?

Answer 2 · 2021-03-12T17:06:33.000Z

Transferred issue to the website repo.

Answer 3 · 2021-03-12T17:07:57.000Z

Yes, they use the same infrastructure for the key management. See also https://manpages.ubuntu.com/manpages/hirsute/de/man8/apt-key.8.html

Answer 4 · 2021-03-12T17:09:13.000Z

Cool, thank you!

Answer 5 · 2021-03-12T17:13:32.000Z

Updated, please check

Answer 6 · 2021-03-12T17:36:20.000Z

Seems to work:

$ apt-get update
Hit:1 http://security.debian.org buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Hit:4 http://deb.debian.org/debian buster-proposed-updates InRelease
Hit:5 http://deb.debian.org/debian buster-backports InRelease
Hit:6 http://deb.debian.org/debian buster InRelease
Get:2 https://rspamd.com/apt-stable buster InRelease [2451 B]
Get:7 https://rspamd.com/apt-stable buster/main Sources [828 B]
Get:8 https://rspamd.com/apt-stable buster/main amd64 Packages [1010 B]
Fetched 4289 B in 1s (5511 B/s)     
Reading package lists... Done
$ apt-get --no-install-recommends install rspamd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libglib2.0-0 libhyperscan5 libicu63 libsodium23 libunwind8
Recommended packages:
  libglib2.0-data shared-mime-info xdg-user-dirs
The following NEW packages will be installed:
  libglib2.0-0 libhyperscan5 libicu63 libsodium23 libunwind8 rspamd
0 upgraded, 6 newly installed, 0 to remove and 9 not upgraded.
Need to get 5889 kB/15.6 MB of archives.
After this operation, 64.4 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian buster/main amd64 libhyperscan5 amd64 5.1.0-1 [2349 kB]
Get:2 https://rspamd.com/apt-stable buster/main amd64 rspamd amd64 2.7-42~buster [3489 kB]
Get:3 http://deb.debian.org/debian buster/main amd64 libunwind8 amd64 1.2.1-10~deb10u1 [51.1 kB]
Fetched 5889 kB in 2s (3059 kB/s)                                
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libhyperscan5.
(Reading database ... 13481 files and directories currently installed.)
Preparing to unpack .../0-libhyperscan5_5.1.0-1_amd64.deb ...
Unpacking libhyperscan5 (5.1.0-1) ...
Selecting previously unselected package libglib2.0-0:amd64.
Preparing to unpack .../1-libglib2.0-0_2.58.3-2+deb10u2_amd64.deb ...
Unpacking libglib2.0-0:amd64 (2.58.3-2+deb10u2) ...
Selecting previously unselected package libicu63:amd64.
Preparing to unpack .../2-libicu63_63.1-6+deb10u1_amd64.deb ...
Unpacking libicu63:amd64 (63.1-6+deb10u1) ...
Selecting previously unselected package libsodium23:amd64.
Preparing to unpack .../3-libsodium23_1.0.17-1_amd64.deb ...
Unpacking libsodium23:amd64 (1.0.17-1) ...
Selecting previously unselected package libunwind8:amd64.
Preparing to unpack .../4-libunwind8_1.2.1-10~deb10u1_amd64.deb ...
Unpacking libunwind8:amd64 (1.2.1-10~deb10u1) ...
Selecting previously unselected package rspamd.
Preparing to unpack .../5-rspamd_2.7-42~buster_amd64.deb ...
Unpacking rspamd (2.7-42~buster) ...
Setting up libsodium23:amd64 (1.0.17-1) ...
Setting up libglib2.0-0:amd64 (2.58.3-2+deb10u2) ...
No schema files found: doing nothing.
Setting up libunwind8:amd64 (1.2.1-10~deb10u1) ...
Setting up libhyperscan5 (5.1.0-1) ...
Setting up libicu63:amd64 (63.1-6+deb10u1) ...
Setting up rspamd (2.7-42~buster) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Processing triggers for libc-bin (2.28-10) ...

Btw. There should most likely be a > /dev/null after the sudo tee /etc/apt/keyrings/rspamd.gpg. Forgot this in my original example and only noticed it when I got a lot of noise when dearmoring the key.

Answer 7 · 2021-05-01T21:28:47.000Z

That is now fixed, thank you!