Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25641

Allow unsigned apt repositories

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0
    • Fix Version/s: None
    • Component/s: APT
    • Labels:
      None

      Description

      Sometimes it's useful to limit access to a debian repository via an ssh tunnel or other technique. In these cases the gpg signing of the apt repo is unnecessary and in some ways reduces security. Adding an apt key means the computer will trust that gpg key for any sources. This means a compromised gpg key does not necessarily only affect the security of one apt source on a  given system.

      I can't find a way to make apt ignore the gpg key, even though I can trivially make apt accept an unsigned repo. As far as I can tell the only solution without changes somewhere is to carefully manage a gpg private key I don't even really want to have in the first place.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            w.stott Will
            Last Updated By:
            Joe Tom Joe Tom
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title