search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.38k stars 289 forks source link

Update Debian apt install process to use a repository specific key and avoid deprecated apt-key add function #7459

Open ianbmacdonald opened 1 year ago

ianbmacdonald commented 1 year ago

Related to the Debian 11 installation process, we noticed the Installation instructions use the deprecated apt-key add function.  For additional security to prevent keys from one source to be used to sign packages coming from another, the new apt method directs users only use third party keys with their specific apt sources, rather then put them into the global keystore.

Instead of these steps, described in the current installation process, 

wget -q -O - https://inverse.ca/downloads/GPG_PUBLIC_KEY | sudo apt-key add -
echo 'deb http://inverse.ca/downloads/PacketFence/debian/12.1 bullseye bullseye' > \
/etc/apt/sources.list.d/packetfence.list

We opted to use these more secure equivalents, that will avoid deprecation warnings and possibly a bit of work if trusted.gpg no longer functions generally for apt sources sometime in the future.

wget -q -O - https://inverse.ca/downloads/GPG_PUBLIC_KEY | gpg --dearmor -o /usr/share/keyrings/packetfence.gpg
echo 'deb [signed-by=/usr/share/keyrings/packetfence.gpg] http://inverse.ca/downloads/PacketFence/debian/12.1 bullseye bullseye' > /etc/apt/sources.list.d/packetfence.list

Might be worth changing to the updated method sooner than later and/or even considering the key move as part of the update scripts to avoid issues if/when the deprecation may actually occur.

Rather then open a new ticket, in 4.3, there is also a small typo. The first sentence contains the word 'fo' rather than 'for'.

PacketFence provides packages repository for RHEL 8 as well as packages repository fo Debian.

ianbmacdonald commented 1 year ago

Adding another small update to this doc update ticket

Section 30.3.2 of the installation guide provides an import command example that includes "-f" which is an option that is not longer required by the script, and when included, results in an error message suggesting the file format is not correct.

/usr/local/pf/addons/full-import/import.sh -f /tmp/export.tgz

ianbmacdonald commented 1 year ago

I suppose it is not as simple to change to the more specific key reference as the upgrade script still uses globally trusted keys, if packetfence.list is updated to use a repository-specific key.

A simple fix for me, but the upgrade script would have to handle this as well. 

The latest stable PacketFence version is 12.1, enter 'y' to upgrade to this version or 'n' to specify the version manually (y/n): y
Hit:1 http://deb.debian.org/debian bullseye InRelease
Hit:2 http://security.debian.org bullseye-security InRelease
Get:3 http://inverse.ca/downloads/PacketFence/debian/12.1 bullseye InRelease [4,527 B]
Err:3 http://inverse.ca/downloads/PacketFence/debian/12.1 bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CB2D3A2AA0030E2C
Reading package lists... Done
W: GPG error: http://inverse.ca/downloads/PacketFence/debian/12.1 bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CB2D3A2AA0030E2C
E: The repository 'http://inverse.ca/downloads/PacketFence/debian/12.1 bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.