Debian apt repo is not signed

[sgnn7]

Without a signed apt repo, it's impossible to know if the deb packages from https://clusterhq-archive.s3.amazonaws.com/ubuntu/ came from ClusterHQ or someone maliciously intercepted and/or modified them.

[wallnerryan]

Thank you, we appreciate your feedback @sgnn7 will bring this feedback to our release team.

[wallnerryan]

double checking, this issue is in our backlog already. You can track https://clusterhq.atlassian.net/browse/IDEA-5 for updates in the future.

[magcius]

Uh, well, since it's over TLS / HTTPS, traffic can't be intercepted. But yeah, preventing the scary apt warnings is a good idea.

[sgnn7]

@magcius Without signing:

• MITM with another root-validated cert can be used to install any package adversary wants on your infrastructure
  • http://www.zdnet.com/article/ssl-broken-hackers-create-rogue-ca-certificate-using-md5-collisions/
  • https://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
• whoever gains access to Flocker repo hosting can add malicious packages (i.e. backdoor-enabled openssl lib) without the need to also get the signing key and have that change detected.
• There's no non-repudiation

Edited with some links

[andrewrothstein]

this is problematic indeed. I tried signing into your Atlassian thingy and the issue IDEA-5 is not accessible. Are you committed to publishing signed packages?

[twang2218]

The packages are still not signed, I tried to install flocker on Ubuntu 16.04, and got:

# apt-get update
...
W: The repository 'https://clusterhq-archive.s3.amazonaws.com/ubuntu/16.04/amd64  Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

# apt-get install clusterhq-flocker-cli
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  clusterhq-python-flocker libpython2.7-minimal libpython2.7-stdlib python2.7
  python2.7-minimal
Suggested packages:
  python2.7-doc binutils binfmt-support
The following NEW packages will be installed:
  clusterhq-flocker-cli clusterhq-python-flocker libpython2.7-minimal
  libpython2.7-stdlib python2.7 python2.7-minimal
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 49.0 MB of archives.
After this operation, 188 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
WARNING: The following packages cannot be authenticated!
  clusterhq-python-flocker clusterhq-flocker-cli
Install these packages without verification? [y/N]
...

[andreycizov]

Still not fixed.

Reading package lists... Done
W: The repository 'https://clusterhq-archive.s3.amazonaws.com/ubuntu/16.04/amd64  Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[adamtheturtle]

@andreycizov ClusterHQ, the maintainer of this repository, has shut down. However, a group of the original developers is available for paid support and feature development. Check out https://www.scatterhq.com.