Closed sj26 closed 2 years ago
userappgate
commented
3 years ago This has the benefit over running curl ... | apt-key add - because the ADD command will check to make sure the gpg file is current when repeating docker builds, and so will not get stale or require manual expiry.
But it has the problem that if they get hacked you just automatically add an hacked key, making signing completely useless.
sj26
commented
3 years ago But it has the problem that if they get hacked you just automatically add an hacked key, making signing completely useless.
This is true, but I'm trusting my TLS CA store to make sure the file I'm downloading comes from a trusted origin at least. And at worst I'm giving the hackers more opportunities to mitm the origin, not creating a new vulnerability. If they can poison TLS then I've probably got bigger problems. 😅
userappgate
commented
3 years ago If they can change the files on the repository, they can also change the key, hosted on the same place.
Downloading the key once makes sure that you are only exposed if you happen to download it after they have been hacked, but secures you to that in other cases.
What you do doesn't secure you.
Of course if the yarn people had any clue of what they were doing, the repository would include a keyring that they should use to upgrade the key, without asking people to continuously add new keys.
axel3rd
commented
2 years ago This file contains carriage -> sed -i 's/\r//' /etc/apt/trusted.gpg.d/yarn.asc
2h lost to not understand why https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - works and not sudo curl https://dl.yarnpkg.com/debian/pubkey.gpg -o /etc/apt/trusted.gpg.d/yarn.asc
@sj26 Many thanks 😗.
With Ubuntu 22.04 which "explicitly" depreciate the usage of apt-key (warning message), this carriage returns problem could grow up 😢.
Daniel15
commented
2 years ago I'll look into this.
Daniel15
commented
2 years ago This should be fixed by https://github.com/yarnpkg/releases/commit/39f80bd182c4e3e15afbf5741d5de8167813811d. Let me know if you still have issues with it.
axel3rd
commented
2 years ago This should be fixed by https://github.com/yarnpkg/releases/commit/39f80bd182c4e3e15afbf5741d5de8167813811d. Let me know if you still have issues with it.
LGTM, tested and works now like a charm (no more sed need 🤪)
entin-hun
commented
6 days ago The official Installation guide should be updated, as it still contains sudo apt-key add - , which returns:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
This is the up-to-date and working guide: (kudos to the author)
This file contains carriage returns as well as newlines, but is intended for use on Linux systems where only newlines are expected:
https://dl.yarnpkg.com/debian/pubkey.gpg
A nice way to prime a debian/ubuntu system with apt trusted gpg keys is to place them in a trusted location, for example with this Dockerfile:
This has the benefit over running
curl ... | apt-key add -because theADDcommand will check to make sure the gpg file is current when repeating docker builds, and so will not get stale or require manual expiry.But at the moment Debian fails to use this key file because it contains carriage returns. Deep in the bowls of apt it is using awk to preprocess these files, and awk does not understand carriage returns, and so the whole file is skipped. So trying to use the repository currently fails:
My current workaround is to use sed to remove the carriage returns before use:
I can't see Debian making this change upstream. But it would be simple to remove the carriage returns from the source file to avoid this pain.
Could you please update the file at https://dl.yarnpkg.com/debian/pubkey.gpg to remove the carriage returns?