[BUG] Debian installation instructions highly insecure
Opened this issue · 7 comments
Deleted user commented
The docs specify following instruction how to install rspamd on debian.
apt-get install -y lsb-release wget # optional
CODENAME=`lsb_release -c -s`
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list
apt-get update
apt-get --no-install-recommends install rspamd
This is highly insecure as it is adding non-Debian keys to the global trusted keyring - and will stop working in the near future. See
- https://michael-prokop.at/blog/2021/02/16/how-to-properly-use-3rd-party-debian-repository-signing-keys-with-apt/
- https://wiki.debian.org/DebianRepository/UseThirdParty
- https://manpages.debian.org/testing/apt/apt-key.8.en.html
Correct instructions are:
sudo apt-get install -y lsb-release wget # optional
CODENAME=`lsb_release -c -s`
sudo mkdir -p /etc/apt/keyrings
wget -O- https://rspamd.com/apt-stable/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/rspamd.gpg > /dev/null
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main" | sudo tee /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list
sudo apt-get update
sudo apt-get --no-install-recommends install rspamd
vstakhov commented
Will it work for Ubuntu as well?
vstakhov commented
Transferred issue to the website repo.
Deleted user commented
Yes, they use the same infrastructure for the key management. See also https://manpages.ubuntu.com/manpages/hirsute/de/man8/apt-key.8.html
vstakhov commented
Cool, thank you!
vstakhov commented
Updated, please check
Deleted user commented
Seems to work:
$ apt-get update
Hit:1 http://security.debian.org buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Hit:4 http://deb.debian.org/debian buster-proposed-updates InRelease
Hit:5 http://deb.debian.org/debian buster-backports InRelease
Hit:6 http://deb.debian.org/debian buster InRelease
Get:2 https://rspamd.com/apt-stable buster InRelease [2451 B]
Get:7 https://rspamd.com/apt-stable buster/main Sources [828 B]
Get:8 https://rspamd.com/apt-stable buster/main amd64 Packages [1010 B]
Fetched 4289 B in 1s (5511 B/s)
Reading package lists... Done
$ apt-get --no-install-recommends install rspamd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libglib2.0-0 libhyperscan5 libicu63 libsodium23 libunwind8
Recommended packages:
libglib2.0-data shared-mime-info xdg-user-dirs
The following NEW packages will be installed:
libglib2.0-0 libhyperscan5 libicu63 libsodium23 libunwind8 rspamd
0 upgraded, 6 newly installed, 0 to remove and 9 not upgraded.
Need to get 5889 kB/15.6 MB of archives.
After this operation, 64.4 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian buster/main amd64 libhyperscan5 amd64 5.1.0-1 [2349 kB]
Get:2 https://rspamd.com/apt-stable buster/main amd64 rspamd amd64 2.7-42~buster [3489 kB]
Get:3 http://deb.debian.org/debian buster/main amd64 libunwind8 amd64 1.2.1-10~deb10u1 [51.1 kB]
Fetched 5889 kB in 2s (3059 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libhyperscan5.
(Reading database ... 13481 files and directories currently installed.)
Preparing to unpack .../0-libhyperscan5_5.1.0-1_amd64.deb ...
Unpacking libhyperscan5 (5.1.0-1) ...
Selecting previously unselected package libglib2.0-0:amd64.
Preparing to unpack .../1-libglib2.0-0_2.58.3-2+deb10u2_amd64.deb ...
Unpacking libglib2.0-0:amd64 (2.58.3-2+deb10u2) ...
Selecting previously unselected package libicu63:amd64.
Preparing to unpack .../2-libicu63_63.1-6+deb10u1_amd64.deb ...
Unpacking libicu63:amd64 (63.1-6+deb10u1) ...
Selecting previously unselected package libsodium23:amd64.
Preparing to unpack .../3-libsodium23_1.0.17-1_amd64.deb ...
Unpacking libsodium23:amd64 (1.0.17-1) ...
Selecting previously unselected package libunwind8:amd64.
Preparing to unpack .../4-libunwind8_1.2.1-10~deb10u1_amd64.deb ...
Unpacking libunwind8:amd64 (1.2.1-10~deb10u1) ...
Selecting previously unselected package rspamd.
Preparing to unpack .../5-rspamd_2.7-42~buster_amd64.deb ...
Unpacking rspamd (2.7-42~buster) ...
Setting up libsodium23:amd64 (1.0.17-1) ...
Setting up libglib2.0-0:amd64 (2.58.3-2+deb10u2) ...
No schema files found: doing nothing.
Setting up libunwind8:amd64 (1.2.1-10~deb10u1) ...
Setting up libhyperscan5 (5.1.0-1) ...
Setting up libicu63:amd64 (63.1-6+deb10u1) ...
Setting up rspamd (2.7-42~buster) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Processing triggers for libc-bin (2.28-10) ...
Btw. There should most likely be a > /dev/null
after the sudo tee /etc/apt/keyrings/rspamd.gpg
. Forgot this in my original example and only noticed it when I got a lot of noise when dearmoring the key.
vstakhov commented
That is now fixed, thank you!