search

signalwire / freeswitch

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a versatile software implementation that runs on any commodity hardware. From a Raspberry PI to a multi-core server, FreeSWITCH can unlock the telecommunications potential of any device.
https://freeswitch.com/#getting-started
Other
3.52k stars 1.41k forks source link

Insecure / Unsigned Repository #1212

Open dev-bio opened 3 years ago

dev-bio commented 3 years ago

Describe the bug The repository is unsigned and the installation guide demonstrated the usage of apt-key which is unconditionally trusted by the system. Judging from old closed issues this may have been a problem for years? Building from source apparently requires the same unsigned packages as well.

Maybe I'm missing something significant here??

To reproduce Steps to reproduce the behavior:

curl "https://files.freeswitch.org/repo/deb/debian-release/fsstretch-archive-keyring.gpg" \
| gpg --dearmor | tee "/usr/share/keyrings/fsstretch-archive-keyring.gpg"
apt-add-repository "https://files.freeswitch.org/repo/deb/freeswitch-1.8"
apt-get update && apt-get install -y freeswitch-all

Using details provided here.

Expected behavior

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY

Package version

Trace logs DNA

Backtrace DNA

dev-bio commented 3 years ago

Worked my way around using those packages, hopefully this can be resolved.