Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25641

Allow unsigned apt repositories

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • None
    • 3.0.0
    • APT
    • None

    Description

      Sometimes it's useful to limit access to a debian repository via an ssh tunnel or other technique. In these cases the gpg signing of the apt repo is unnecessary and in some ways reduces security. Adding an apt key means the computer will trust that gpg key for any sources. This means a compromised gpg key does not necessarily only affect the security of one apt source on a  given system.

      I can't find a way to make apt ignore the gpg key, even though I can trivially make apt accept an unsigned repo. As far as I can tell the only solution without changes somewhere is to carefully manage a gpg private key I don't even really want to have in the first place.

      Attachments

        Activity

          People

            Unassigned Unassigned
            w.stott Will
            Joe Tom Joe Tom
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              tigCommentSecurity.panel-title